AI Security Review
scanned 1d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `marigold-draft agent-setup`, or invokes its local review/MCP commands.
Impact
Adds a package-owned Claude skill/MCP entry and can read or write requested draft files.
Mechanism
Explicit AI-agent configuration registration and localhost draft-review service.
Rationale
Source inspection confirms an explicit user-invoked AI-agent configuration mutation, so it warrants a warning under the firewall policy. No concrete malicious chain, install-time execution, credential theft, or external exfiltration was found.
Evidence
package.jsonREADME.mddist/cli.cjs~/.claude/skills/marigold-draft/SKILL.md~/Library/Application Support/Claude/claude_desktop_config.json~/.marigold-local/server.json
Network endpoints1
127.0.0.1
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.cjs` `agent-setup` writes a Claude Code skill under `~/.claude/skills/`.
- `agent-setup` modifies Claude Desktop `mcpServers` to run this package's `mcp` command.
- CLI starts a detached localhost daemon and can open a browser.
Evidence against
- `package.json` has no install, postinstall, or preinstall hook; only `prepublishOnly`.
- Configuration mutation requires the explicit `agent-setup` command.
- Network use is restricted to `http://127.0.0.1` local server APIs.
- No credential harvesting, external exfiltration, shell payload execution, or destructive file behavior found.
- `new Function` is bundled Ajv validation code, not package-controlled payload execution.
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.cjsView file
4102patternName = generic_password
severity = medium
line = 4102
matchedText = password...d]",
Medium
22156sourceCode = this.opts.code.process(sourceCode, sch);
L22157: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
L22158: const validate = makeValidate(this, this.scope.get());
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/cli.cjsView on unpkg · L22156Findings
3 Medium6 Low
MediumSecret Patterndist/cli.cjs
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings