registry  /  incur  /  0.4.13

incur@0.4.13

<picture> <source media="(prefers-color-scheme: dark)" srcset=".github/logo-dark.svg"> <source media="(prefers-color-scheme: light)" srcset=".github/logo-light.svg"> <img alt="incur" src=".github/logo-light.svg" width="100%" height="140px"> </pictur

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `incur mcp add` or `incur skills add`.
Impact
Adds MCP server entries or skills for detected/specified local agents; no confirmed credential exfiltration or malicious payload execution.
Mechanism
Explicit CLI registration and skill-file sync
Rationale
Because agent configuration mutation is explicit and package-aligned rather than install-time or covert, this does not meet the block threshold. It remains a warn-level lifecycle/capability risk under the agent control-surface policy.
Evidence
package.jsondist/bin.jsdist/internal/command.jsdist/SyncMcp.jsdist/SyncSkills.jsdist/internal/agents.jsdist/internal/utils.jsdist/Fetch.jsdist/Openapi.jsdist/McpSource.js~/.config/amp/settings.json~/.agents/skills/<skill>~/.config/agents/skills/<skill>~/.codex/skills/<skill>~/.cursor/skills/<skill>~/.claude/skills/<skill>~/.local/share/incur/<name>.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/internal/command.js exposes explicit built-ins `mcp add` and `skills add`.
  • dist/SyncMcp.js runs package-manager `add-mcp` and writes Amp MCP config under the user's home directory.
  • dist/SyncSkills.js and dist/internal/agents.js copy/symlink SKILL.md files into multiple AI-agent skill directories.
  • dist/internal/utils.js dynamically imports a user-selected CLI entry for the `gen` command.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • dist/index.js only re-exports library modules; import has no obvious side effects beyond module loading.
  • Network use is package-aligned: Fetch/Openapi/McpSource forward user-configured fetch/OpenAPI/MCP requests, not hardcoded exfiltration.
  • No hardcoded exfiltration endpoints, credential harvesting loop, obfuscated payload, destructive install-time behavior, or persistence found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 93 file(s), 1.11 MB of source, external domains: api.example.com, custom.example.com, example.com, expressjs.com, json-schema.org, mcp.example.com, mcp.local, pkg.pr.new, prod.example.com, registry.npmjs.org, staging.example.com

Source & flagged code

1 flagged · loading source
dist/internal/utils.jsView file
21try { L22: const mod = await import(href); L23: const cli = mod.default;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/internal/utils.jsView on unpkg · L21

Findings

3 Medium3 Low
MediumDynamic Requiredist/internal/utils.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings