AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the `entities-runtime` CLI and completes pairing.
Impact
A paired runtime can execute requested agent work with elevated Claude permission handling; this is an intentional but high-risk capability.
Mechanism
Remote-request-driven AI agent execution with Claude permission-state mutation.
Rationale
No concrete malicious install-time behavior, credential exfiltration chain, or concealed payload was found. The explicit runtime mutation of Claude permission state and remote agent execution warrant a warning rather than a block.
Evidence
package.jsonscripts/fix-pty-helper.jsdist/index.jsdist/claude-config.jsdist/claude-spawn.jsdist/session-runner.jsnode_modules/node-pty/prebuilds/*/spawn-helper~/.claude/settings.json~/.claude.json~/.entities-runtime/state.json<session-cwd>/.mcp.json<session-cwd>/.claude/skills/SKILL.md
Network endpoints4
syhzpqqvrplaqdipcymw.supabase.covault.add.ai/add/entityaddai-flows-backend-29522465016.europe-west2.run.appsyhzpqqvrplaqdipcymw.supabase.co/functions/v1/entity-self-improve
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` calls `ensureBypassPermissionsAccepted()` when the daemon starts.
- `dist/claude-config.js` sets Claude's global bypass-warning acceptance and project trust entries.
- `dist/session-runner.js` polls paired service requests and launches Claude/Codex/Kimi/Gemini sessions.
- `dist/claude-spawn.js` passes remote request options to a PTY-launched Claude process.
- `dist/install.js` writes request-provided MCP and skill configuration into session workspaces.
Evidence against
- `package.json` postinstall only chmods `node-pty`'s local spawn helper.
- No install hook writes AI-agent configuration or contacts a network endpoint.
- CLI invokes runtime startup explicitly; importing `dist/index.js` does not start it.
- No eval/vm/dynamic loader or hidden payload mechanism was found.
- Network calls are package-aligned pairing, RPC, heartbeat, and request-flow endpoints.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/fix-pty-helper.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscripts/smoke-test.shView file
•path = scripts/smoke-test.sh
kind = build_helper
sizeBytes = 2483
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/smoke-test.shView on unpkgFindings
1 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/smoke-test.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings