AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is present. Explicit skills setup can modify user-scoped AI-agent integration state and invoke package-aligned remote extension/template sources.
Static reason
No blocking static signals were detected.
Trigger
User runs `projectops --mode skills` or accepts the interactive skills prompt.
Impact
Can install or update first-party agent extensions and copy projectops-owned skill files into user agent directories.
Mechanism
Explicit IDE plugin, extension, skills, and harness setup.
Rationale
No concrete malicious chain was found. The explicit first-party AI-agent extension lifecycle behavior warrants a warning under the stated policy, not a block.
Evidence
package.jsonbin/projectops.jssrc/commands/skills.jssrc/core/ide/adapters/cursor.jssrc/core/ide/adapters/codex.jssrc/core/ide/adapters/pi-harness.jssrc/core/assets.js~/.cursor/skills~/.agents/skills/projectops~/.projectops/config/config.jsonPI settings.json
Network endpoints3
github.com/Cassiiopeia/projectopsgithub.com/Cassiiopeia/projectops.gitraw.githubusercontent.com/Cassiiopeia/projectops/main
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/commands/skills.js` applies IDE integrations in noninteractive mode.
- `src/core/ide/adapters/cursor.js` copies skills into `~/.cursor/skills`.
- `src/core/ide/adapters/codex.js` registers a Codex marketplace and removes legacy native skills.
- `src/core/ide/adapters/pi-harness.js` enables a PI settings extension.
- `src/core/assets.js` clones the package-aligned GitHub template at runtime.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `bin/projectops.js` only starts the CLI after explicit execution.
- Agent integration runs only through `--mode skills` or an interactive opt-in.
- Network URLs are package-aligned GitHub endpoints.
- No credential harvesting, exfiltration, eval, or hidden payload execution was found.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebin/projectops.jsView file
14const indexPath = join(here, "..", "src", "index.js");
L15: const { run } = await import(pathToFileURL(indexPath).href);
L16:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/projectops.jsView on unpkg · L14Findings
3 Medium4 Low
MediumDynamic Requirebin/projectops.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings