AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. An opt-in runtime harness can create or overwrite agent instruction sidecars within a caller-selected workspace and start a configured agent CLI. This is a real AI-agent control-surface capability, but not install-time malware.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
An application invokes `ctx.harness.run()` with a persona containing harness instruction content.
Impact
Configured persona content can affect a Codex/Claude-style agent session in that workspace.
Mechanism
Workspace-bounded AGENTS/CLAUDE sidecar setup and non-shell agent-harness launch.
Rationale
Source inspection found a concrete, opt-in AI-agent control-surface write and harness launch, which warrants a warning under the firewall policy. It did not find behavior sufficient to classify the package as malicious or block publication.
Evidence
package.jsondist/cloud-defaults.jsdist/relay-mcp.jsdist/local-preview.jsdist/local-preview-child.jsdist/local-preview-hooks.jsAGENTS.mdCLAUDE.md
Network endpoints4
api.anthropic.comapi.openai.comchatgpt.com/backend-api/codexopenrouter.ai/api
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/cloud-defaults.js` writes persona-rendered `AGENTS.md` or `CLAUDE.md` before launching an agent harness.
- `dist/cloud-defaults.js` launches configured harness binaries with `spawn(..., { shell: false })`.
- `dist/relay-mcp.js` invokes a relay broker with `--register` during configured Codex/Claude harness setup.
Evidence against
- `package.json` declares no `preinstall`, `install`, or `postinstall` script.
- Instruction writes are constrained to the selected workspace by `resolveWorkspacePath`.
- Local preview imports a caller-selected bundle only after child-process and raw-network guards are installed.
- No covert exfiltration, remote payload download, global agent-config mutation, or persistence was found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/local-preview-executor.jsView file
248try {
L249: userModule = (await import(bundleUrl));
L250: }
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/local-preview-executor.jsView on unpkg · L248dist/local-preview.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @agentworkforce/runtime@4.1.20
matchedIdentity = npm:QGFnZW50d29ya2ZvcmNlL3J1bnRpbWU:4.1.20
similarity = 0.925
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/local-preview.jsView on unpkgFindings
1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/local-preview.js
MediumDynamic Requiredist/local-preview-executor.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License