AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a CLI, local dashboard, and MCP server that modifies project/AI-client config only when the user runs setup commands.
Decision evidence
public snapshot- User-invoked `unspa init` can write MCP entries and managed AI context/skill files via `cli/commands/init.ts`.
- Dashboard/MCP code uses local WebSocket/fetch sync and filesystem persistence for package data.
- `package.json` has no install/postinstall hook; `prepublishOnly` is publisher-side lint/build/test only.
- Bin shims only register `tsx`, set package env vars, load aliases, and enter CLI/MCP source.
- AI-client config/context writes are explicit `init` behavior with flags/prompts and bounded paths such as `.mcp.json`, `CLAUDE.md`, `AGENTS.md`, `.claude/skills`.
- MCP server reads/writes Unspaghettit snapshot/model files and exposes local stdio tools; no credential harvesting or external exfiltration found.
- `child_process` use is limited to dashboard/serve subprocesses and optional `npm uninstall -g` during `uninstall --global-uninstall`.
- Scanner blob/Trojan-source hints map to built assets/compressed Svelte output; direct search found no bidi controls in the flagged JS file.
Source & flagged code
4 flagged · loading sourcePackage source references dynamic require/import behavior.
mcp-server/bin.cjsView on unpkg · L6Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
build/client/_app/immutable/chunks/DNzq6p3w2.jsView on unpkg · L46Package ships compressed or archive-like blobs.
build/client/lyriks_logo.svg.gzView on unpkgPackage ships high-entropy non-source blobs.
build/client/_app/immutable/nodes/11.tGaCW3Gg.js.gzView on unpkg