AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `martha runner --allow-host-exec` or `martha chat --local-exec --yes`.
Impact
Remote Martha tasks or chat tool calls can run local commands under user consent; no unconsented activation found.
Mechanism
Explicit host command execution and API result reporting
Rationale
Static source inspection shows a legitimate Martha platform CLI with explicit host-execution features and no lifecycle hook, stealth persistence, credential scraping, or unconsented AI-agent control-surface mutation. Because the user-enabled runner/local-exec surface can execute remote task commands and exfiltrate output to the configured API, warn rather than block.
Evidence
package.jsondist/index.jsREADME.mdCHANGELOG.mdskills/martha-cli/SKILL.md~/.martha/config.yaml~/.martha/credentials.json.martha-runner/
Network endpoints5
martha.nomadriver.coauth.nomadriver.coregistry.npmjs.org/@aiaiai-pt%2Fmartha-cli/latestlocalhost:8080localhost:8180
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/index.js registers user-invoked `runner` that executes server-supplied task goals only with `--allow-host-exec`.
- dist/index.js supports `chat --local-exec --yes` host tools, file writes/edits, screenshots, browser actions, and local agent delegation.
- dist/index.js posts command output/tool results back to Martha API endpoints after explicit local-exec/runner use.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks; only bin `martha` points to dist/index.js.
- Network use is aligned with documented Martha CLI operations and configurable API/auth endpoints.
- Token/config writes are expected CLI state under `~/.martha`, with env auth precedence documented in README.md.
- child_process findings are mostly bundled commander/update logic plus explicit runner/local-exec commands, not import-time execution.
- MCP grant/setup is explicit via `martha mcp add/grant`, not install-time mutation of foreign AI-agent config.
- No credential harvesting, stealth persistence, destructive install behavior, or remote payload loading found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
752var EventEmitter = __require("node:events").EventEmitter;
L753: var childProcess = __require("node:child_process");
L754: var path = __require("node:path");
High
1212}
L1213: const execArgv = process2.execArgv ?? [];
L1214: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
21526const body = fs12.readFileSync(skillPath, "utf-8");
L21527: process.stdout.write(body);
L21528: }
...
L21535: // src/commands/update.ts
L21536: import { spawnSync } from "node:child_process";
L21537: import { realpathSync } from "node:fs";
...
L21540: var PKG = "@aiaiai-pt/martha-cli";
L21541: var LATEST_URL = "https://registry.npmjs.org/@aiaiai-pt%2Fmartha-cli/latest";
L21542: function compareSemver2(a, b) {
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L2152629var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
L30: var __require = /* @__PURE__ */ createRequire(import.meta.url);
L31:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L29Findings
3 High3 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings