AI Security Review
scanned 5h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs kevlar-4u CLI, npx kevlar-4u --auto, or npm run setup; runtime tools may check updates or submit error reports.
Impact
AI clients may load the kevlar-4u MCP server after user setup; no confirmed malicious exfiltration or unconsented install-time persistence.
Mechanism
explicit first-party MCP server registration and optional package-aligned network calls
Rationale
Static source inspection confirms explicit AI-client MCP configuration writes, but no unconsented npm lifecycle mutation, credential harvesting, destructive behavior, or remote payload execution. Warn rather than block because the agent control-surface mutation is real but user-invoked and package-aligned.
Evidence
package.jsonscripts/cli.tsscripts/registry.tsscripts/setup.tsdist/index.jsdist/server.jsdist/tools/reportErrorTool.jsdist/tools/checkUpdateTool.jsdist/utils/saasClient.jsdist/execution/config.js~/.kevlar-lang~/.codex/config.toml~/.cursor/mcp.json~/Library/Application Support/Claude/claude_desktop_config.json~/.claude/claude_desktop_config.json~/.codeium/windsurf/mcp_config.json~/.config/opencode/opencode.json~/.gemini/antigravity/mcp_config.json~/.codebuddy/mcp.json~/.workbuddy/mcp.jsonskills/kevlar-config.jsonskills/tmp/*
Network endpoints4
kevlar4u.xyz/api/v1/error-reportkevlar4u.xyz/api/v1/versionkevlar4u.xyz/api/v1/subscription-promptsgithub.com/ChurzeXo/kevlar-4u/issues/new
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- scripts/cli.ts --auto and interactive CLI write MCP entries into Claude/Cursor/Windsurf/OpenCode/Codex/Antigravity/CodeBuddy/WorkBuddy configs.
- scripts/registry.ts targets broad AI-agent config paths including ~/.codex/config.toml, ~/.cursor/mcp.json, and Claude Desktop configs.
- scripts/setup.ts is a zero-config installer that can inject Claude MCP config, but it is not wired to package.json install hooks.
- dist/tools/reportErrorTool.js can POST user-approved error reports to https://kevlar4u.xyz/api/v1/error-report.
Evidence against
- package.json has no preinstall/install/postinstall hook; only prepublishOnly blocks local publishing.
- MCP config mutation is activated by explicit CLI commands (--auto or interactive prompt), not automatic npm install.
- CLI writes a first-party kevlar-4u MCP server entry and makes backups/idempotency checks; no foreign agent rules are overwritten wholesale.
- dist/index.js starts an MCP stdio server; import-time behavior is server setup, not harvesting or exfiltration.
- Network use is package-aligned update/error/pro sync behavior; no credential/file harvesting loop found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcedist/scripts/cli.jsView file
331const PRO_PKG = "@kevlar/pro-runtime";
L332: _proCli = import(PRO_PKG).catch(() => null);
L333: }
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/scripts/cli.jsView on unpkg · L331scripts/kevlar-proxy.shView file
•path = scripts/kevlar-proxy.sh
kind = build_helper
sizeBytes = 1475
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/kevlar-proxy.shView on unpkgFindings
5 Medium6 Low
MediumDynamic Requiredist/scripts/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/kevlar-proxy.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License