VasperaPM - AI-powered verified specifications. Discover docs, analyze code, detect drift.
LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time execution or confirmed credential exfiltration was found. Explicit CLI setup registers an MCP server that resolves `vaspera-pm@latest` on later agent launches, creating a persistent unpinned extension path.
Source appears to send environment or credential material to an external endpoint.
dist/server.jsView on unpkg · L79Package source references dynamic require/import behavior.
dist/server.jsView on unpkg · L3294Package source references weak cryptographic algorithms.
dist/server.jsView on unpkg · L79A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L31A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L453Source appears to send environment or credential material to an external endpoint.
dist/server.jsView on unpkg · L79Package source references dynamic require/import behavior.
dist/server.jsView on unpkg · L3294Package source references weak cryptographic algorithms.
dist/server.jsView on unpkg · L79A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L31A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L453