AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs sens dashboard and clicks Connect to Claude Code, or explicitly runs sens rules/report/index/mcp commands.
Impact
Adds a package-owned MCP server entry and writes local .sens cache/log/report files; no confirmed exfiltration or remote code execution beyond npx invocation of this package.
Mechanism
user-invoked project indexing plus explicit MCP config setup
Rationale
Source inspection supports a package-aligned tool with an explicit user-command MCP config mutation, which is an agent-control-surface lifecycle risk but not malicious under the policy. No concrete exfiltration, install-time mutation, destructive behavior, or staged payload was found.
Evidence
package.jsondist/cli.jsdist/server-YDYSA2YO.jsdist/server-OKFVY3GH.jsdist/chunk-5YINTSQX.jsdist/chunk-DPT26USV.jsREADME.md.mcp.json.sens/index.json.sens/usage.jsonl.sens/report.htmlSENS_RULES.md
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- dist/server-OKFVY3GH.js exposes dashboard POST /api/connect that writes project .mcp.json.
- dist/server-OKFVY3GH.js sets mcpServers.sens to run npx -y sens-mcp mcp.
- dist/chunk-DPT26USV.js MCP usage logging appends tool calls to .sens/usage.jsonl.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/cli.js only runs actions from explicit CLI commands; mcp server starts only via sens mcp.
- dist/server-YDYSA2YO.js registers local MCP tools for project indexing/querying, not credential access or exfiltration.
- dist/chunk-5YINTSQX.js indexes local source and writes cache to .sens/index.json using declared parsers/WASM grammars.
- No external network endpoints or remote payload fetches found in runtime source; README URLs are badges/docs.
Behavioral surface
ChildProcessDynamicRequireFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/chunk-5YINTSQX.jsView file
28async function build(root, absFiles) {
L29: const { Project, Node, SyntaxKind } = await import("ts-morph");
L30: const project = new Project({
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/chunk-5YINTSQX.jsView on unpkg · L28dist/grammars/tree-sitter-go.wasmView file
•path = dist/grammars/tree-sitter-go.wasm
kind = wasm_module
sizeBytes = 235957
magicHex = [redacted]
Medium
Findings
4 Medium4 Low
MediumDynamic Requiredist/chunk-5YINTSQX.js
MediumNetwork
MediumShips Wasm Moduledist/grammars/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings