AI Security Review
scanned 5h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `marigold-draft agent-setup`.
Impact
Future AI-agent sessions may invoke the package workflow across projects.
Mechanism
Writes global agent instructions and MCP configuration.
Rationale
The package is not concretely malicious from static inspection, but its explicit setup command alters global configurations for multiple unrelated AI-agent products. Per policy, this warrants a non-blocking warning for dangerous agent-control capability.
Evidence
package.jsondist/cli.cjsREADME.md~/.codex/AGENTS.md$XDG_CONFIG_HOME/opencode/AGENTS.md~/.gemini/GEMINI.md~/.claude/CLAUDE.md~/.claude/skills/marigold-draft/SKILL.mdClaude/claude_desktop_config.json
Network endpoints2
127.0.0.1:<port>marigold.page/api/quick
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/cli.cjs` exposes explicit `agent-setup` command.
- That command writes managed blocks to global Codex, opencode, Gemini, and Claude configuration.
- It registers a `marigold-draft` MCP server in Claude Desktop configuration.
- Injected global rules direct agents to use the package's review workflow across projects.
Evidence against
- `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` only builds before publishing.
- Agent configuration mutation is reached only through the explicit `agent-setup` CLI command.
- Network requests are localhost for the review daemon; hosted upload is explicit `share` to `https://marigold.page/api/quick`.
- No credential harvesting, remote payload loading, shell execution of attacker input, or destructive behavior was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.cjsView file
4102patternName = generic_password
severity = medium
line = 4102
matchedText = password...d]",
Medium
22156sourceCode = this.opts.code.process(sourceCode, sch);
L22157: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
L22158: const validate = makeValidate(this, this.scope.get());
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/cli.cjsView on unpkg · L22156Findings
3 Medium6 Low
MediumSecret Patterndist/cli.cjs
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings