registry  /  visionaire-engine  /  0.7.0

visionaire-engine@0.7.0

Deterministic rendered-page → LLM context MCP server: which rule, which file, which line — and why it wins.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `visionaire-engine init-harness` or starts the MCP/bin server.
Impact
Warn-level lifecycle risk: project-local agent hooks may block completion until verification, but no install-time hijack or exfiltration was confirmed.
Mechanism
explicit first-party agent harness installation and browser/page inspection tooling
Rationale
Source inspection does not support the scanner's malicious label: there are no lifecycle hooks, no hardcoded exfiltration, and the flagged Unicode is used to strip unsafe page text. Because the package can mutate AI-agent control files via an explicit user command, downgrade to warn rather than block.
Evidence
package.jsondist/index.jsdist/harness-init.jsharness/claude/settings.snippet.jsonharness/claude/hooks/visionaire_nudge.shharness/claude/hooks/visionaire_gate.shdist/session.jsdist/types.js.claude/skills/visionaire-verify/SKILL.md.claude/hooks/visionaire_nudge.sh.claude/hooks/visionaire_gate.sh.cursor/rules/visionaire-verify.mdc.claude/settings.json.claude/.visionaire_pending.claude/.visionaire_verified

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js exposes explicit `init-harness` command that imports dist/harness-init.js.
  • dist/harness-init.js copies Claude hooks/skill and Cursor rule into project .claude/.cursor paths.
  • harness/claude/settings.snippet.json configures PostToolUse and Stop hooks.
  • harness/claude/hooks/visionaire_gate.sh can block agent turn completion until verification marker exists.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Harness setup is user-invoked via `visionaire-engine init-harness`, not install-time mutation.
  • dist/harness-init.js is non-destructive: skips existing files unless --force and never modifies existing .claude/settings.json.
  • No credential harvesting or exfiltration endpoints found; fetch usage is for user/page-supplied resources.
  • dist/types.js Unicode controls are inside a regex/comment for sanitizing page text, not Trojan Source control flow.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 64 file(s), 600 KB of source, external domains: 127.0.0.1, example.com, www.google.com

Source & flagged code

3 flagged · loading source
dist/types.jsView file
29contains invisible/control Unicode U+202A (left-to-right embedding) .replace(/[--Ÿ<U+200E><U+200F><U+202A>-<U+202E><U+2066>-<U+2069>]/g, ' ')
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/types.jsView on unpkg · L29
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/session.js -> dist/uid.js -> dist/types.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/types.jsView on unpkg
harness/claude/hooks/visionaire_gate.shView file
path = harness/claude/hooks/visionaire_gate.sh kind = build_helper sizeBytes = 1484 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

harness/claude/hooks/visionaire_gate.shView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/types.js
CriticalTrigger Reachable Dangerous Capabilitydist/types.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperharness/claude/hooks/visionaire_gate.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings