registry  /  typeglish  /  0.2.0

typeglish@0.2.0

The TypeGlish language + compiler — turn English into logically consistent, checkable programs for LLMs.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package includes an explicit Claude hook command that can gate configured prompt-deployment tools, while normal build operations write package-owned `.typeglish` artifacts.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Lifecycle `prepare` invokes Husky; agent gating requires an explicit `typeglish claude-hook` invocation.
Impact
Potential VCS-hook setup during prepare; no confirmed exfiltration, remote execution, persistence, or foreign AI-agent configuration write.
Mechanism
Prepare-time Husky setup plus explicit, local agent-tool payload validation.
Rationale
No concrete malicious chain was found by direct source inspection. Per policy, the prepare-time Husky hook setup remains a lifecycle risk warranting a warning rather than a block.
Evidence
package.jsondist/cli.jsdist/mcp.jsdist/chunk-A2R4ZEV7.js.typeglish/dist/<name>.txt.typeglish/build-manifest.json.typeglish/deploy-gate.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json: `prepare` runs `husky || true`, a lifecycle VCS-hook setup attempt.
  • dist/cli.js: `claude-hook` can deny configured agent-tool writes when explicitly invoked.
Evidence against
  • package.json has no preinstall/install/postinstall hook.
  • dist/cli.js only writes build outputs and manifests under `.typeglish/` after explicit `build`.
  • dist/cli.js hook reads stdin/files/env but contains no network or subprocess execution.
  • dist/mcp.js exposes stdio MCP check/build tools; path mode writes only requested project artifacts.
  • No bidi/invisible Unicode controls were found in distributed `.js` files.
  • No runtime HTTP client calls were found in package code.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 2.06 MB of source, external domains: api.anthropic.com, api.example.com, api.openai.com, generativelanguage.googleapis.com, github.com, json-schema.org, peggyjs.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/chunk-KRYC4OTL.jsView file
246contains invisible/control Unicode U+200D (zero width joiner) re: /(?![©®™])\p{Extended_Pictographic}(?:️)?(?:<U+200D>(?![©®™])\p{Extended_Pictographic}(?:️)?)*/gu,
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/chunk-KRYC4OTL.jsView on unpkg · L246
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/chunk-KRYC4OTL.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-KRYC4OTL.jsView on unpkg

Findings

2 Critical3 Medium6 Low
CriticalTrojan Source Unicodedist/chunk-KRYC4OTL.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-KRYC4OTL.js
MediumDynamic Require
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings