AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a Telegram adapter that stores allowlisted chat messages locally and calls Anthropic for user-visible summarization/replies when configured.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; running usrcp-telegram starts long-polling bot; --reset-config runs setup command.
Impact
Configured chat contents may be processed by the local ledger/stream and Anthropic as documented, but no unconsented exfiltration or install-time attack was found.
Mechanism
package-aligned Telegram capture and LLM reply adapter with native dependency rebuild workaround
Rationale
Static inspection shows suspicious primitives are package-aligned: install only rebuilds better-sqlite3, runtime network use is the declared Telegram/Anthropic adapter flow, and config/ledger writes are user-invoked or runtime functions. No concrete credential theft, hidden endpoint, persistence, destructive action, or agent-control mutation was found.
Evidence
package.jsondist/index.jsdist/config.jsdist/capture.jsdist/stream-capture.jsdist/reader.jsdist/llm.jsdist/setup.jsREADME.mdnode_modules/better-sqlite3/buildnode_modules/usrcp-core/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/build~/.usrcp/telegram-config.json
Network endpoints1
console.anthropic.com/account/keys
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall that rmSyncs better-sqlite3 build dirs and runs npm rebuild better-sqlite3.
- dist/index.js uses execSync only for user-invoked --reset-config to run usrcp setup --adapter=telegram.
- dist/index.js starts a Telegram bot and dist/llm.js sends message text to Anthropic SDK during capture/reply.
Evidence against
- No install-time credential/env harvesting or network exfiltration found in inspected source.
- postinstall behavior is limited to local better-sqlite3 native rebuild paths, matching dependency repair intent.
- dist/capture.js and dist/stream-capture.js filter bot messages, empty messages, and non-allowlisted chats before storage.
- dist/config.js uses adapter config fields for Telegram/Anthropic secrets rather than custom secret scraping.
- dist/setup.js interactively writes declared Telegram config via writeTelegramConfig; no hidden endpoints or persistence found.
- No eval/vm/Function, binary loader, destructive filesystem behavior beyond node_modules rebuild cleanup, or AI-agent control-surface writes found.
Behavioral surface
ChildProcessEnvironmentVars
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowUrl Strings