AI Security Review
scanned 2h ago · by lpm-firewall-aiNo source-grounded attack surface can be confirmed because package files were not readable through available tools.
Static reason
One or more suspicious static signals were detected.
Trigger
unknown
Impact
unknown
Mechanism
unverified package contents
Rationale
Source inspection was required before a verdict, but the runtime did not expose a filesystem inspection tool in this turn. A definitive clean or malicious verdict would be unsupported without reading package files.
Decision evidence
public snapshotAI called this Manual Review at 10.0% confidence as Unknown with high false-positive risk.
Evidence for warning
- Cannot inspect package files in this environment: no filesystem command tool is available in the assistant toolset, despite the task requiring source inspection.
Evidence against
Behavioral surface
EnvironmentVarsFilesystem
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node dist/index.js --version || echo 'Run: npx react-docs-mcp'
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node dist/index.js --version || echo 'Run: npx react-docs-mcp'
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings