AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `marigold-draft agent-setup` or `marigold-draft share <file>`.
Impact
Can alter assistant-wide behavior across projects and enable this package as an MCP tool; sharing exports the chosen draft.
Mechanism
Explicit global agent-config mutation and opt-in draft upload.
Rationale
This is not malware or an install-time hijack, but it has an explicit command that persistently modifies broad AI-agent configuration. Per policy, that merits a warning rather than a block.
Evidence
package.jsondist/cli.cjsREADME.md~/.codex/AGENTS.md~/.claude/CLAUDE.md~/.claude/skills/marigold-draft/SKILL.mdClaude/claude_desktop_config.json~/.gemini/GEMINI.md
Network endpoints2
marigold.page/api/quick127.0.0.1:${port}
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.cjs:31377` runs agent configuration only for the explicit `agent-setup` command.
- `dist/cli.cjs:28752` writes managed blocks to detected global Codex, opencode, and Gemini agent-rule files.
- `dist/cli.cjs:28813` registers this CLI as a Claude Desktop MCP server and rewrites its config.
- `dist/cli.cjs:31175` uploads caller-selected HTML only when the explicit `share` command is used.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook; `prepublishOnly` is publisher-side.
- The daemon and fetch traffic are localhost-only except the explicit share feature.
- No credential harvesting, shell command injection, remote payload execution, or stealth persistence was found.
- The flagged dynamic `Function` is bundled AJV validation code, not package-controlled payload execution.
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.cjsView file
4102patternName = generic_password
severity = medium
line = 4102
matchedText = password...d]",
Medium
22156sourceCode = this.opts.code.process(sourceCode, sch);
L22157: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
L22158: const validate = makeValidate(this, this.scope.get());
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/cli.cjsView on unpkg · L22156Findings
3 Medium6 Low
MediumSecret Patterndist/cli.cjs
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings