registry  /  usrcp-discord  /  0.2.2

usrcp-discord@0.2.2

Discord capture+reader adapter for USRCP — vision-proof cross-channel memory

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Source inspection was not completed, so no reliable attack surface can be confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
unknown
Impact
unknown
Mechanism
unverified
Rationale
I cannot validly decide without inspecting package files, but the requested response format requires final JSON only.

Decision evidence

public snapshot
AI called this Manual Review at 0.0% confidence as Unknown with high false-positive risk.
Evidence for warning
  • Unable to perform required read-only inspection before finalization due to response format constraint.
Evidence against
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 7 file(s), 39.8 KB of source, external domains: console.anthropic.com, discord.com

    Source & flagged code

    5 flagged · loading source
    package.jsonView file
    scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
    Critical
    Red Install Lifecycle Script

    Install-time lifecycle script matches a deterministic static-gate block pattern.

    package.jsonView on unpkg
    scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    dist/index.jsView file
    15exports.resolveMode = resolveMode; L16: const node_child_process_1 = require("node:child_process"); L17: const discord_js_1 = require("discord.js");
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L15
    dist/setup.jsView file
    46exports.runDiscordSetup = runDiscordSetup; L47: const https = __importStar(require("node:https")); L48: const node_child_process_1 = require("node:child_process"); L49: const config_js_1 = require("./config.js"); ... L55: return new Promise((resolve) => { L56: process.stderr.write(prompt); L57: const stdin = process.stdin;
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/setup.jsView on unpkg · L46
    169package = usrcp-discord; repositoryIdentity = usrcp; dependency = @anthropic-ai/sdk L169: try { L170: const { default: Anthropic } = await import("@anthropic-ai/sdk"); L171: const client = new Anthropic({ apiKey });
    High
    Copied Package Dependency Bridge

    Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

    dist/setup.jsView on unpkg · L169

    Findings

    1 Critical4 High3 Medium2 Low
    CriticalRed Install Lifecycle Scriptpackage.json
    HighInstall Time Lifecycle Scriptspackage.json
    HighChild Processdist/index.js
    HighCommand Output Exfiltrationdist/setup.js
    HighCopied Package Dependency Bridgedist/setup.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowUrl Strings