AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- build/setup.js explicit setup wizard writes MCP server entries into Claude Desktop, Claude Code .mcp.json, Cursor, VS Code, Windsurf, Gemini CLI, Zed, and Antigravity configs.
- build/setup.js stores user-provided LAW_OC in selected client config env and configures command npx -y korean-law-mcp.
- package.json has prepare: husky but no preinstall/install/postinstall hook; setup is invoked only by korean-law-mcp setup.
- build/index.js starts MCP stdio or HTTP server only when bin is run; no import-time file mutation beyond env reads.
- build/lib/api-client.js network use is package-aligned Korean law API querying with LAW_OC/KOREAN_LAW_API_KEY.
- build/lib/fetch-with-retry.js masks OC/apiKey values in URLs and adds law.go.kr User-Agent/Referer only for law.go.kr hosts.
- build/server/http-server.js scrubs API keys from errors and gates shared-key quota; no credential exfiltration found.
- No child_process exec/spawn, eval, Function, native loading, destructive filesystem actions, or hidden payload carrier found in inspected files.
Source & flagged code
3 flagged · loading sourcebuild/setup.js explicit setup wizard writes MCP server entries into Claude Desktop, Claude Code .mcp.json, Cursor, VS Code, Windsurf, Gemini CLI, Zed, and Antigravity configs.
build/setup.jsView on unpkgbuild/setup.js stores user-provided LAW_OC in selected client config env and configures command npx -y korean-law-mcp.
build/setup.jsView on unpkgpackage.json has prepare: husky but no preinstall/install/postinstall hook; setup is invoked only by korean-law-mcp setup.
package.jsonView on unpkg