AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package includes a project-local Claude permission allowlist that can weaken command confirmation when this directory is opened in Claude. It also contains an SMTP notification service with embedded credentials.
Static reason
One or more suspicious static signals were detected.
Trigger
Opening the extracted directory in Claude Code; invoking the notification service.
Impact
Selected agent shell commands may be auto-approved; the embedded SMTP account may be exposed or abused.
Mechanism
Agent command pre-authorization and SMTP email delivery.
Rationale
Source inspection found no concrete malicious install/import behavior or payload execution. The embedded AI-agent permission configuration and SMTP credentials create real downstream risk, so a warning is warranted rather than a block.
Evidence
.claude/settings.local.jsonpackage.jsondi/di.jsmodel-services/notification.service.jslibs/access-token.service.jslibs/file.helper.js
Network endpoints2
mail.service-desk.uzamqp://localhost
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- .claude/settings.local.json pre-authorizes npm, node, npx, and git Bash commands for Claude.
- model-services/notification.service.js embeds SMTP account credentials and sends email.
- di/di.js dynamically requires paths supplied by caller DI configuration.
Evidence against
- package.json has no preinstall, install, postinstall, or bin lifecycle script.
- No child_process, eval, vm, obfuscated payload, or remote code-loading primitive was found.
- Network behavior is application-aligned: SMTP notification, local AMQP, and configured SSO token refresh.
- Filesystem mutations are upload/image-management and authenticated file-deletion helpers.
Behavioral surface
DynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcedi/di.jsView file
11try {
L12: const item = require(`${process.cwd()}${this.config[itemName].class}`);
L13: this.items[itemName] = new item;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
di/di.jsView on unpkg · L11package.jsonView file
•Runtime dependency names matching Node built-ins: crypto, fs, http, path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requiredi/di.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings