registry  /  usrcp-extension  /  0.2.2

usrcp-extension@0.2.2

Chrome browser extension for capturing claude.ai conversations into the USRCP ledger

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Source inspection was not completed, so no reliable attack surface determination is possible.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
unknown
Impact
unknown
Mechanism
uninspected package
Rationale
I could not complete the required read-only package inspection before this schema-bound response was emitted. This should be retried with filesystem inspection of package.json, dist/setup.js, config files, and native-host files.

Decision evidence

public snapshot
AI called this Manual Review at 0.0% confidence as Unknown with high false-positive risk.
Evidence for warning
  • Finalization attempted before required source inspection due to tool-channel mistake.
Evidence against
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 5 file(s), 37.1 KB of source

    Source & flagged code

    3 flagged · loading source
    package.jsonView file
    scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-local/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream...
    Critical
    Red Install Lifecycle Script

    Install-time lifecycle script matches a deterministic static-gate block pattern.

    package.jsonView on unpkg
    scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-local/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream...
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    native-host/usrcp-bridge.cjsView file
    36L37: const path = require("node:path"); L38: const fs = require("node:fs");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    native-host/usrcp-bridge.cjsView on unpkg · L36

    Findings

    1 Critical1 High3 Medium3 Low
    CriticalRed Install Lifecycle Scriptpackage.json
    HighInstall Time Lifecycle Scriptspackage.json
    MediumDynamic Requirenative-host/usrcp-bridge.cjs
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings