AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time code automatically registers a Chrome MCP bridge. This mutates an AI-agent/browser control surface outside the package directory without an explicit user action.
Decision evidence
public snapshot- `package.json` runs `node scripts/setup-chrome-mcp.mjs` as `postinstall`.
- `scripts/setup-chrome-mcp.mjs` automatically invokes the bridge CLI with `register --browser chrome`.
- The setup runs without an explicit user command and only offers an opt-out environment variable.
- The lifecycle script creates Chrome MCP bridge state/log directories in the user profile.
- The setup script contains no direct network request or credential-harvesting code.
- It uses `execFileSync` with fixed `node` arguments rather than a shell string.
- `prepare` only sets a repository-local Git hooks path.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/setup-chrome-mcp.mjsView on unpkg · L10Package ships native binary artifacts.
dist/vendor/audio-capture/x64-darwin/audio-capture.nodeView on unpkgPackage contains source files above the static scanner size ceiling.
dist/cli.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
dist/cli.jsView on unpkg