AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a Vercel CLI with user-invoked network, token, shell, curl, sandbox, skills, and MCP setup features aligned to its documented command surface.
Decision evidence
public snapshot- package.json exposes only CLI bins vc/vercel and has no preinstall/install/postinstall lifecycle hooks.
- dist/vc.js is a small CLI shim that handles --version/--help then imports dist/index.js; no install/import-time payload seen.
- dist/index.js routes subcommands to commands-bulk.js and uses Vercel-aligned endpoints such as https://api.vercel.com and npm dist-tags for update checks.
- dist/commands-bulk.js token/env handling is command-specific for Vercel Blob, curl trace, sandbox, tokens, and telemetry; no broad credential harvesting or external exfiltration found.
- dist/commands-bulk.js MCP setup is explicit user-invoked vercel mcp behavior for Vercel MCP at https://mcp.vercel.com, not an npm lifecycle mutation.
- child_process uses are for user-invoked curl, package-manager/update detection, MCP client setup, and skills command execution paths.
Source & flagged code
11 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L2Source appears to send environment or credential material to an external endpoint.
dist/commands-bulk.jsView on unpkg · L2A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/commands-bulk.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/commands-bulk.jsView on unpkg · L4682Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/commands-bulk.jsView on unpkg · L2Package source references weak cryptographic algorithms.
dist/commands-bulk.jsView on unpkg · L2Package source references dynamic require/import behavior.
dist/get-latest-worker.cjsView on unpkg · L16Package contains source files above the static scanner size ceiling.
dist/chunks/chunk-XHC5YRFY.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunks/chunk-X36ADWA5.jsView on unpkg