AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. User-invoked CLI can install or update package-owned IDE/agent extensions and copy project templates. This is not install-time behavior, but it does touch AI-agent control surfaces when the user runs skills mode.
Static reason
No blocking static signals were detected.
Trigger
user runs projectops, especially --mode skills with --force or interactive apply
Impact
Warn-level lifecycle risk from agent extension/config mutation; no confirmed malicious payload or exfiltration
Mechanism
explicit CLI-driven template integration and IDE/agent extension setup
Rationale
Source inspection shows explicit user-command agent extension/config mutation, which merits a warning under the provided policy, but no concrete malicious chain. The risky operations are package-aligned and activated through CLI modes rather than npm install/import side effects.
Evidence
package.jsonbin/projectops.jssrc/index.jssrc/core/assets.jssrc/core/breaking-check.jssrc/commands/skills.jssrc/core/ide/adapters/cursor.jssrc/core/ide/adapters/pi-common.jssrc/core/ide/adapters/claude.jssrc/core/ide/adapters/codex.jssrc/core/ide/adapters/gemini.jsversion.ymlREADME.md.github/workflows/*.github/config/*.github/ISSUE_TEMPLATE/*.github/DISCUSSION_TEMPLATE/*.cursor/skills/*.pi/agent/settings.json.agents/skills/cassiiopeia.claude/plugins/data/cassiiopeia@cassiiopeia-marketplace
Network endpoints3
github.com/Cassiiopeia/projectops.gitraw.githubusercontent.com/Cassiiopeia/projectops/main/.github/config/breaking-changes.jsongithub.com/Cassiiopeia/projectops
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/commands/skills.js applies IDE adapters in noninteractive skills mode
- src/core/ide/adapters/cursor.js copies skills into ~/.cursor/skills and writes meta
- src/core/ide/adapters/pi-common.js can add/remove harness loader in ~/.pi/agent/settings.json
- src/core/ide/adapters/claude.js, gemini.js, codex.js invoke agent/IDE CLIs to install/update package-owned extensions
Evidence against
- package.json has no preinstall/install/postinstall hooks
- bin/projectops.js only version-checks then imports src/index.js on CLI execution
- Network URLs are package-aligned GitHub repo/raw URLs
- No credential harvesting, exfiltration, eval/vm, obfuscated payload, or stealth persistence found
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebin/projectops.jsView file
14const indexPath = join(here, "..", "src", "index.js");
L15: const { run } = await import(pathToFileURL(indexPath).href);
L16:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/projectops.jsView on unpkg · L14Findings
3 Medium4 Low
MediumDynamic Requirebin/projectops.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings