AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malware or unconsented install-time AI-agent hijack was found. The package has a real agent-extension lifecycle risk because user-invoked init/configure paths register MCP servers, hooks, and grants across multiple AI harnesses.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/postinstall.mjs.
- scripts/postinstall.mjs runs npm ci/install in dist/brain-mcp-server at install time.
- igris init writes AI-agent config surfaces: ~/.claude/settings.json, ~/.claude.json, ~/.codex/config.toml, ~/.gemini/settings.json, ~/.config/opencode/opencode.json.
- dist/lib/mcp-register.js grants no-prompt access for igris-brain across supported harnesses.
- dist/lib/channel.js and dist/lib/tarball.js fetch Igris core tarballs from GitHub during init/refresh.
- Postinstall only installs package-owned bundled MCP dependencies and exits 0 on failure; it does not edit agent configs.
- Agent config mutation is tied to explicit igris init/install/doctor/loadout commands, not package import or npm install.
- Remote endpoints are package-aligned GitHub API/tarball URLs for fiftynotai/igris-ai.
- Secret handling rejects inline MCP secrets and uses env indirection; no credential harvesting or exfil path found.
- GitHub tarball extraction has path traversal checks and core/ allow-list.
- Dynamic import/child_process usage is command-aligned for CLI verbs and local pinned tools.
Source & flagged code
7 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/lib/skills-delegate.jsView on unpkg · L37Package source references dynamic require/import behavior.
dist/verbs/import.jsView on unpkg · L198Package source invokes a package manager install command at runtime.
dist/lib/self-update.jsView on unpkg · L3This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/lib/init/prompts.jsView on unpkg