AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Runtime provider calls can persist caller-selected skill-directory symlinks into workspace or agent-home control surfaces. ACP sessions can also launch a caller-configured local agent with file capabilities.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A host calls Codex, Cursor, Pi, or ACP provider execution/session APIs with configured skill directories or an ACP command.
Impact
A host-provided skill can become discoverable by a local AI coding agent beyond the immediate call; configured ACP agents may read or write files with the invoking user's privileges.
Mechanism
Explicit runtime AI-agent skill injection and configured subprocess execution.
Rationale
Source inspection finds no concrete malware chain or lifecycle-based hijack. The package nevertheless exposes execution-time persistent AI-agent extension injection, a dangerous capability requiring host trust.
Evidence
package.jsonsrc/index.tssrc/utils/skills.tssrc/providers/codex/execute.tssrc/providers/cursor/execute.tssrc/providers/pi/execute.tssrc/providers/acp/session.ts
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/providers/codex/execute.ts` injects caller-supplied skill directories into `{cwd}/.agents/skills` during execution.
- `src/providers/cursor/execute.ts` and `src/providers/pi/execute.ts` invoke home-directory skill injection for configured skill directories.
- `src/utils/skills.ts` creates persistent symlinks in AI-agent skill locations and does not remove home/workspace injections.
- `src/providers/acp/session.ts` spawns a configured ACP binary and advertises file read/write capabilities to it at runtime.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or uninstall lifecycle hook.
- `src/index.ts` only exports APIs; provider execution modules are lazy-loaded.
- Skill injection and child-process execution require explicit provider/session calls and caller configuration.
- No hard-coded remote endpoint, credential exfiltration, eval, obfuscated payload, or import-time mutation was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcedist/providers/acp/session.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @agentex/agent@0.0.24
matchedIdentity = npm:QGFnZW50ZXgvYWdlbnQ:0.0.24
similarity = 0.515
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/providers/acp/session.jsView on unpkgFindings
1 High2 Medium3 Low
HighPrevious Version Dangerous Deltadist/providers/acp/session.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings