AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package is an AI/MCP platform whose explicit init command can modify broad AI-agent control surfaces, which is agent-extension lifecycle risk rather than unconsented lifecycle hijack.
Decision evidence
public snapshot- User-invoked `unspa init` can register MCP globally in AI client configs (`~/.claude.json`, `~/.cursor/mcp.json`, `~/.codex/config.toml`, etc.).
- `cli/commands/init.ts` can add managed blocks to `CLAUDE.md` and `AGENTS.md` and install bundled skills under `.claude/skills/`.
- MCP server exposes many spec-editing tools and package instructions to connected AI clients via `mcp-server/server.ts`.
- `package.json` has no install/postinstall/prepare hook; only `prepublishOnly`, which is publisher-side.
- Bin shims only register tsx/path aliases and load local CLI/MCP entrypoints; no import-time exfiltration or install-time mutation found.
- AI client config/context writes are activated by explicit `unspa init`, with prompts/flags and uninstall support; not lifecycle-triggered.
- No credential harvesting, remote payload fetch, destructive persistence, or untrusted code execution found in inspected entrypoints.
Source & flagged code
4 flagged · loading sourcePackage source references dynamic require/import behavior.
mcp-server/bin.cjsView on unpkg · L6Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
build/client/_app/immutable/chunks/DNzq6p3w2.jsView on unpkg · L46Package ships compressed or archive-like blobs.
build/client/lyriks_logo.svg.gzView on unpkgPackage ships high-entropy non-source blobs.
build/client/_app/immutable/nodes/3.DSEDqDk6.js.gzView on unpkg