AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/cli/commands/setup.js` exposes an explicit `setup` command that installs agent integrations.
- `dist/setup/install.js` writes Claude skill files and can append/replace a marked block in `AGENTS.md`.
- `dist/cli/commands/agent-setup.js` similarly exposes explicit `agent-setup --codex/--global` mutation.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- No outbound-network imports, fetch calls, shell execution, eval, or VM execution found in `dist/**/*.js`.
- `dist/setup/install.js` is activated only by an explicit CLI command, not module import or package installation.
- `dist/config.js` uses environment variables only for local configuration and stores files with restrictive permissions.
Source & flagged code
3 flagged · loading source`dist/cli/commands/setup.js` exposes an explicit `setup` command that installs agent integrations.
dist/cli/commands/setup.jsView on unpkg`dist/setup/install.js` writes Claude skill files and can append/replace a marked block in `AGENTS.md`.
dist/setup/install.jsView on unpkg`dist/cli/commands/agent-setup.js` similarly exposes explicit `agent-setup --codex/--global` mutation.
dist/cli/commands/agent-setup.jsView on unpkg