AI Security Review
scanned 5h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `marigold-draft agent-setup` or `marigold-draft share <file>`.
Impact
`agent-setup` changes Claude Code/Desktop configuration; `share` sends selected draft contents to the configured hosted origin.
Mechanism
Explicit AI-agent configuration mutation and user-requested draft upload.
Rationale
This is not malicious, but the explicit agent-control-surface mutation meets the firewall policy's warn boundary for user-command setup. No unconsented lifecycle execution or concrete malicious behavior was found.
Evidence
package.jsonREADME.mddist/cli.cjs~/.claude/skills/marigold-draft/SKILL.md~/.claude/CLAUDE.md~/Library/Application Support/Claude/claude_desktop_config.json~/.config/Claude/claude_desktop_config.json~/.marigold-local/docs.json<selected-draft>.marigold.json
Network endpoints2
127.0.0.1:<port>marigold.page/api/quick
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.cjs` exposes explicit `agent-setup`, which writes a Claude Code skill and modifies `~/.claude/CLAUDE.md`.
- `agent-setup` also registers `marigold-draft mcp` in Claude Desktop's `claude_desktop_config.json`.
- `share` reads a user-selected HTML/SVG file and POSTs it to `${MARIGOLD_ORIGIN}/api/quick`.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
- Agent configuration writes occur only in the explicit `agent-setup` command, not on import or install.
- The local daemon binds to `127.0.0.1`; ordinary review APIs use localhost.
- No credential harvesting, shell command execution, dynamic payload loading, or covert remote endpoint was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.cjsView file
4102patternName = generic_password
severity = medium
line = 4102
matchedText = password...d]",
Medium
22156sourceCode = this.opts.code.process(sourceCode, sch);
L22157: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
L22158: const validate = makeValidate(this, this.scope.get());
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/cli.cjsView on unpkg · L22156Findings
3 Medium6 Low
MediumSecret Patterndist/cli.cjs
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings