AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `incur mcp add` or `incur skills add`.
Impact
Adds MCP server entries or skills for detected/specified local agents; no confirmed credential exfiltration or malicious payload execution.
Mechanism
Explicit CLI registration and skill-file sync
Rationale
Because agent configuration mutation is explicit and package-aligned rather than install-time or covert, this does not meet the block threshold. It remains a warn-level lifecycle/capability risk under the agent control-surface policy.
Evidence
package.jsondist/bin.jsdist/internal/command.jsdist/SyncMcp.jsdist/SyncSkills.jsdist/internal/agents.jsdist/internal/utils.jsdist/Fetch.jsdist/Openapi.jsdist/McpSource.js~/.config/amp/settings.json~/.agents/skills/<skill>~/.config/agents/skills/<skill>~/.codex/skills/<skill>~/.cursor/skills/<skill>~/.claude/skills/<skill>~/.local/share/incur/<name>.json
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/internal/command.js exposes explicit built-ins `mcp add` and `skills add`.
- dist/SyncMcp.js runs package-manager `add-mcp` and writes Amp MCP config under the user's home directory.
- dist/SyncSkills.js and dist/internal/agents.js copy/symlink SKILL.md files into multiple AI-agent skill directories.
- dist/internal/utils.js dynamically imports a user-selected CLI entry for the `gen` command.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- dist/index.js only re-exports library modules; import has no obvious side effects beyond module loading.
- Network use is package-aligned: Fetch/Openapi/McpSource forward user-configured fetch/OpenAPI/MCP requests, not hardcoded exfiltration.
- No hardcoded exfiltration endpoints, credential harvesting loop, obfuscated payload, destructive install-time behavior, or persistence found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/internal/utils.jsView file
21try {
L22: const mod = await import(href);
L23: const cli = mod.default;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/internal/utils.jsView on unpkg · L21Findings
3 Medium3 Low
MediumDynamic Requiredist/internal/utils.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings