registry  /  marigold-draft  /  0.3.4

marigold-draft@0.3.4

Local Marigold review loop for agent-authored HTML/SVG drafts — comment in the browser, feedback flows straight back to your coding agent.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `marigold-draft agent-setup`.
Impact
Future AI-agent sessions may invoke the package workflow across projects.
Mechanism
Writes global agent instructions and MCP configuration.
Rationale
The package is not concretely malicious from static inspection, but its explicit setup command alters global configurations for multiple unrelated AI-agent products. Per policy, this warrants a non-blocking warning for dangerous agent-control capability.
Evidence
package.jsondist/cli.cjsREADME.md~/.codex/AGENTS.md$XDG_CONFIG_HOME/opencode/AGENTS.md~/.gemini/GEMINI.md~/.claude/CLAUDE.md~/.claude/skills/marigold-draft/SKILL.mdClaude/claude_desktop_config.json
Network endpoints2
127.0.0.1:<port>marigold.page/api/quick

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/cli.cjs` exposes explicit `agent-setup` command.
  • That command writes managed blocks to global Codex, opencode, Gemini, and Claude configuration.
  • It registers a `marigold-draft` MCP server in Claude Desktop configuration.
  • Injected global rules direct agents to use the package's review workflow across projects.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` only builds before publishing.
  • Agent configuration mutation is reached only through the explicit `agent-setup` CLI command.
  • Network requests are localhost for the review daemon; hosted upload is explicit `share` to `https://marigold.page/api/quick`.
  • No credential harvesting, remote payload loading, shell execution of attacker input, or destructive behavior was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.30 MB of source, external domains: 127.0.0.1, dom.spec.whatwg.org, github.com, html.spec.whatwg.org, html5sec.org, json-schema.org, marigold.page, mathiasbynens.be, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/cli.cjsView file
4102patternName = generic_password severity = medium line = 4102 matchedText = password...d]",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/cli.cjsView on unpkg · L4102
22156sourceCode = this.opts.code.process(sourceCode, sch); L22157: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L22158: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.cjsView on unpkg · L22156

Findings

3 Medium6 Low
MediumSecret Patterndist/cli.cjs
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings