AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Runtime behavior is a Korean law MCP/CLI that uses an API key to query law data and can optionally start a local HTTP/SSE server when requested.
Static reason
No blocking static signals were detected.
Trigger
User runs korean-law-mcp, korean-law, or explicit setup/HTTP mode command.
Impact
Expected legal-data lookup functionality; no evidence of credential harvesting, persistence, destructive behavior, or unconsented install-time agent control mutation.
Mechanism
User-invoked MCP/CLI legal search client
Rationale
Source inspection of the manifest and declared bin/main entrypoints shows package-aligned MCP/CLI behavior, with environment variable use limited to API authentication. Scanner network/env findings are expected for a law API client and do not show exfiltration or install-time compromise.
Evidence
package.jsonbuild/index.jsbuild/cli.js
Network endpoints1
open.law.go.kr/LSO/openApi/guideResult.do
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall hooks; prepare is husky and prepublishOnly builds only.
- build/index.js only starts an MCP stdio server or user-selected HTTP/SSE server, and setup is explicit via args[0]==setup.
- build/cli.js exposes user-invoked Korean law search commands and reads LAW_OC only for API authentication.
- No import-time shell execution or lifecycle mutation found in entrypoints inspected.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings