AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `installer/install.mjs` runs on explicit CLI invocation and writes a Claude SessionStart hook.
- The installer registers an HTTP MCP server and embeds the bearer token in the hook command for remote URLs.
- `session-start.mjs` reads a token and sends project scope to the configured MCP endpoint at each Claude session start.
- `installer/import.mjs` can read Claude memory notes and upload their contents to an MCP endpoint; `--llm` also sends note bodies to Anthropic.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- All filesystem/configuration changes occur through the package bin, not package installation.
- Child-process use is fixed-argument calls to `claude` and `git`; no shell interpolation, eval, or downloaded code execution.
- The hook only calls the named `recall` MCP tool and exits on errors; no destructive or persistence behavior beyond the user-installed hook.
Source & flagged code
3 flagged · loading sourcePackage source references child process execution.
packages/mcp-server/hooks/session-start.mjsView on unpkg · L12A single source file combines environment access, network access, and code or shell execution; review context before blocking.
packages/mcp-server/hooks/session-start.mjsView on unpkg · L7Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
packages/mcp-server/hooks/session-start.mjsView on unpkg · L12