AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
Explicit CLI commands such as ragcode setup-mcp, install-guidance, service install, configure, update, or opt-in LLM features
Impact
Can modify local agent/service/project config when requested; no unconsented install-time mutation or exfiltration found
Mechanism
user-invoked agent configuration, local indexing, optional provider API calls, and OS watcher registration
Rationale
Source inspection shows potentially sensitive capabilities, but they are explicit CLI features for registering the package's own MCP server, guidance, updater, or watcher service and are not triggered by npm install/import. No credential harvesting, stealth persistence, remote payload loading, or unconsented broad AI-agent control-surface mutation was found.
Evidence
package.jsondist/src/cli/index.jsdist/scripts/setup-mcp.jsdist/src/agent-guidance.jsdist/src/service/service-manager.jsdist/src/service/service-templates.jsdist/src/config/runtime-config.jsdist/src/semantic/openai-compatible-embedding.jsdist/src/memory/llm-client.jsdist/src/cli/update.js.mcp.json~/.codex/config.toml~/Library/Application Support/Claude/claude_desktop_config.json~/.config/claude/claude_desktop_config.jsonAGENTS.md.ragcode/config.json.config/systemd/user/*.service~/Library/LaunchAgents/*.plist.ragcode/watch-service.vbs
Network endpoints4
api.openai.com/v1api.anthropic.comgenerativelanguage.googleapis.com127.0.0.1:8000/v1
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- dist/scripts/setup-mcp.js can upsert ragcode MCP entries into Claude/Codex configs when user runs setup-mcp
- dist/src/agent-guidance.js can write repo AGENTS.md guidance when user runs install-guidance
- dist/src/service/service-manager.js can register user-level watcher services when user runs service install
Evidence against
- package.json has no preinstall/install/postinstall hook; only prepublishOnly build
- CLI mutations are behind explicit commands, not import-time or install-time execution
- MCP config preserves other entries and backs up existing config before write
- Runtime defaults use deterministic embeddings; hosted LLM/network features require user config/API keys
- No credential harvesting or hardcoded exfiltration endpoint found
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/src/config/package-info.jsView file
3export function getPackageVersion() {
L4: const require = createRequire(import.meta.url);
L5: for (const candidate of ["../../package.json", "../../../package.json"]) {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/src/config/package-info.jsView on unpkg · L3dist/src/service/service-manager.jsView file
1import { execFile } from "node:child_process";
L2: import fs from "node:fs/promises";
...
L7: import { detectServicePlatform, launchdLabelForRepo, resolveServiceIdentity, scheduledTaskNameForRepo, serviceNameForRepo } from "./service-identity.js";
L8: import { launchdPlistPath, legacyWindowsWatcherScriptPath, renderWindowsWatcherScript, renderLaunchdPlist, renderSystemdUnit, schtasksCreateArgv, schtasksDeleteArgv, schtasksQueryA...
L9: const execFileAsync = promisify(execFile);
...
L43: try {
L44: const { stdout, stderr } = await execFileAsync(file, args);
L45: return { ok: true, stdout, stderr, code: 0 };
...
L57: const spec = buildSpec(repoRoot, options);
L58: const home = options.home ?? os.homedir();
L59: switch (kind) {
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/src/service/service-manager.jsView on unpkg · L1Findings
4 Medium5 Low
MediumDynamic Requiredist/src/config/package-info.js
MediumEnvironment Vars
MediumInstall Persistencedist/src/service/service-manager.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings