AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Installation mutates the consuming project's `.agents` directory without a user command. The recursive copy overwrites existing skill files, allowing the package to control AI-agent instructions in the workspace.
Decision evidence
public snapshot- package.json runs postinstall automatically.
- installSkills.js copies bundled .agents into npm INIT_CWD.
- Copy is recursive and overwrites existing target files.
- Target is project-root .agents, a broad AI-agent control surface.
- Bundled mikuwork instructs agents to implement and validate project tasks.
- No credential harvesting or process execution found.
- No package-controlled network endpoint or payload download found.
- Runtime server is local and only serves state/task APIs.
Source & flagged code
3 flagged · loading sourceTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
server.jsView on unpkg