registry  /  igris-ai  /  7.2.0

igris-ai@7.2.0

Igris AI unified CLI — init, refresh, install, update, sync, doctor, register-project for Igris projects.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malware or unconsented install-time AI-agent hijack was found. The package has a real agent-extension lifecycle risk because user-invoked init/configure paths register MCP servers, hooks, and grants across multiple AI harnesses.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install triggers nested dependency install; explicit igris init/install/doctor/loadout commands mutate agent configs.
Impact
Can add igris-brain MCP entries, hooks, and permissions to local AI-agent configs when the user runs setup commands.
Mechanism
package-owned MCP dependency install and user-command AI harness registration
Rationale
Source inspection supports a warn-level lifecycle risk, not malicious blocking: the only install-time action is a package-owned nested dependency install, while broad AI-agent config writes happen through explicit CLI setup/repair commands. No credential harvesting, destructive behavior, stealth persistence, or remote payload execution beyond package-aligned GitHub fetch/install behavior was found.
Evidence
package.jsonscripts/postinstall.mjsdist/index.jsdist/verbs/init.jsdist/lib/mcp-register.jsdist/lib/global-hooks.jsdist/lib/channel.jsdist/lib/tarball.jsdist/lib/paths.jsdist/brain-mcp-server/node_modules~/.igris~/.claude/settings.json~/.claude.json~/.codex/config.toml~/.gemini/settings.json~/.gemini/config/mcp_config.json~/.config/opencode/opencode.json
Network endpoints4
api.github.com/repos/fiftynotai/igris-ai/releases/latestapi.github.com/repos/fiftynotai/igris-ai/git/ref/{tags|heads}/<ref>github.com/fiftynotai/igris-ai/archive/refs/heads/<branch>.tar.gzgithub.com/fiftynotai/igris-ai/archive/refs/tags/<tag>.tar.gz

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs runs npm ci/install in dist/brain-mcp-server at install time.
  • igris init writes AI-agent config surfaces: ~/.claude/settings.json, ~/.claude.json, ~/.codex/config.toml, ~/.gemini/settings.json, ~/.config/opencode/opencode.json.
  • dist/lib/mcp-register.js grants no-prompt access for igris-brain across supported harnesses.
  • dist/lib/channel.js and dist/lib/tarball.js fetch Igris core tarballs from GitHub during init/refresh.
Evidence against
  • Postinstall only installs package-owned bundled MCP dependencies and exits 0 on failure; it does not edit agent configs.
  • Agent config mutation is tied to explicit igris init/install/doctor/loadout commands, not package import or npm install.
  • Remote endpoints are package-aligned GitHub API/tarball URLs for fiftynotai/igris-ai.
  • Secret handling rejects inline MCP secrets and uses env indirection; no credential harvesting or exfil path found.
  • GitHub tarball extraction has path traversal checks and core/ allow-list.
  • Dynamic import/child_process usage is command-aligned for CLI verbs and local pinned tools.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 229 file(s), 2.85 MB of source, external domains: api.github.com, brain.example.com, github.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lib/skills-delegate.jsView file
37*/ L38: import { spawnSync } from "node:child_process"; L39: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/lib/skills-delegate.jsView on unpkg · L37
dist/lib/github-source.jsView file
521* True if a binary is on PATH. M1: pass `bin` as an argv element to `command` L522: * via `bash -c 'command -v "$1"' _ <bin>` rather than interpolating it into the L523: * shell string — defense-in-depth even though every caller passes a hardcoded
High
Shell

Package source references shell execution.

dist/lib/github-source.jsView on unpkg · L521
dist/verbs/import.jsView file
198*/ L199: export async function runImport(opts) { L200: const bundle = opts.bundle;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/verbs/import.jsView on unpkg · L198
dist/lib/self-update.jsView file
3* L4: * Invokes `npm install -g igris-ai@latest` via `child_process.execFile`, with L5: * stdio inherited so the user sees npm's progress live. Returns the npm exit
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/self-update.jsView on unpkg · L3
dist/lib/init/prompts.jsView file
matchType = previous_version_dangerous_delta matchedPackage = igris-ai@7.1.0 matchedIdentity = npm:aWdyaXMtYWk:7.1.0 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/init/prompts.jsView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/init/prompts.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/lib/skills-delegate.js
HighShelldist/lib/github-source.js
HighRuntime Package Installdist/lib/self-update.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/verbs/import.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings