AI Security Review
scanned 4d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `scripts/init.js` is reached through the explicit `sweet-search init` command and can call agent integration helpers.
- The explicit init workflow writes project AI-agent surfaces: `CLAUDE.md`, `AGENTS.md`, `.claude/rules/sweet-search.md`, `.claude/settings.json`, `.claude/hooks/sweet-search-remind-tools.mjs`, `.claude/hooks/sweet-search-intercept-read.mjs`, `.claude/skills/sweet-index/`, `.mcp.json`, and `.codex/config.toml`.
- With the separate `--codex-enable-global-hooks` option, `scripts/init.js` can also update `~/.codex/config.toml`.
- `scripts/install-tool-enforcement.js` modifies `.claude/settings.json` permissions and registers a `UserPromptSubmit` hook; this is a meaningful agent-control capability.
- The copied Claude hook payloads inject persistent tool-routing guidance into agent context, including a `PreToolUse` hook that allows `Read` while suggesting package-provided search tools.
- `package.json` declares only `postinstall`, which runs `scripts/postinstall-banner.js`; inspection shows it only writes a best-effort terminal banner and does not alter project files, agent configuration, persistence locations, or network state.
- All inspected agent-control writes are initiated by `sweet-search init` and option parsing in `scripts/init.js`, not by npm `preinstall`, `install`, or `postinstall`.
- The MCP helper registers a project-local `.mcp.json` entry for `npx -y sweet-search-mcp`; `mcp/server.js` uses stdio transport and no remote MCP endpoint was found.
- The inspected Claude hooks neither execute external commands nor fetch data: `scripts/hooks/intercept-read.mjs` emits an allow decision and routing hint, while `scripts/hooks/remind-tools.mjs` emits a static reminder.
- Network behavior inspected in `core/embedding/embedding-remote.js` sends user-configured embedding requests to configured provider endpoints such as `https://api.voyageai.com`; no fetch-to-eval, fetched command execution, credential collection, or exfiltration chain was found.
- The supplied 2.6.7→2.6.8 diff has no new or changed lifecycle script, entrypoint, capability, executable, or bundled WASM artifact. The WASM loader reads the shipped `crates/wasm-router/pkg/query_router_wasm_bg.wasm` locally.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
crates/wasm-router/pkg/query_router_wasm.jsView on unpkg · L266Package source executes code through a VM context API.
core/indexing/index-codebase-v21.jsView on unpkg · L35Package source references weak cryptographic algorithms.
core/search/search-fusion.jsView on unpkg · L41Package ships WebAssembly modules.
crates/wasm-router/pkg/query_router_wasm_bg.wasmView on unpkg