AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- build/setup.js implements explicit `setup` command that writes MCP entries into Claude Desktop, Claude Code `.mcp.json`, Cursor, VS Code, Windsurf, Gemini, Zed, and Antigravity config paths.
- build/setup.js stores the entered LAW_OC API key in selected client config env and configures command `npx -y korean-law-mcp`.
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script.
- build/index.js only starts MCP over stdio or user-selected HTTP/SSE mode, with setup behind `args[0] === "setup"`.
- build/lib/api-client.js network calls are package-aligned Korean law API requests using `www.law.go.kr/DRF`.
- build/cli.js uses LAW_OC or --apiKey for user-invoked legal search tools; no credential harvesting or exfiltration found.
- No child_process execution, eval/vm/Function, native binary loading, destructive file operations, or persistence beyond explicit setup config writes found.
Source & flagged code
2 flagged · loading sourcebuild/setup.js implements explicit `setup` command that writes MCP entries into Claude Desktop, Claude Code `.mcp.json`, Cursor, VS Code, Windsurf, Gemini, Zed, and Antigravity config paths.
build/setup.jsView on unpkgbuild/setup.js stores the entered LAW_OC API key in selected client config env and configures command `npx -y korean-law-mcp`.
build/setup.jsView on unpkg