AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `brainlink agent install` or `brainlink agent upgrade`.
Impact
Writes Brainlink-owned MCP/plugin integration settings in user home directories; no stealth or install-time activation found.
Mechanism
Explicit first-party AI-agent configuration mutation.
Rationale
The package is not malicious by source inspection, but its explicit command can alter local AI-agent integration configuration. Per firewall policy, this is a warn-level capability rather than a publish block.
Evidence
package.jsondist/cli/main.jsdist/cli/commands/agent-commands.jsdist/infrastructure/file-system-vault.jsdist/domain/embeddings.js~/.codex/config.toml~/.agents/plugins/marketplace.json~/plugins/brainlink
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli/commands/agent-commands.js` explicit `agent install`/`upgrade` writes `~/.codex/config.toml`.
- The same explicit command updates `~/.agents/plugins/marketplace.json` and replaces `~/plugins/brainlink` with a symlink.
- `dist/cli/main.js` performs an optional npm-registry update check during CLI runtime.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- Agent-control writes are only registered under user-invoked `brainlink agent install` or `upgrade`.
- MCP configuration points to the package's own `brainlink-mcp` command; no remote payload execution found.
- `dist/infrastructure/file-system-vault.js` constrains note writes and deletions to the selected vault.
- Embedding and S3 network use is configured feature behavior, not credential harvesting or exfiltration.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceassets/fonts/CrowquillMono-Bold.woff2View file
•path = assets/fonts/CrowquillMono-Bold.woff2
kind = high_entropy_blob
sizeBytes = 107188
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
assets/fonts/CrowquillMono-Bold.woff2View on unpkgdist/cli/commands/write/server-commands.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @andespindola/brainlink@1.5.0
matchedIdentity = npm:QGFuZGVzcGluZG9sYS9icmFpbmxpbms:1.5.0
similarity = 0.758
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli/commands/write/server-commands.jsView on unpkgFindings
2 High3 Medium4 Low
HighShips High Entropy Blobassets/fonts/CrowquillMono-Bold.woff2
HighPrevious Version Dangerous Deltadist/cli/commands/write/server-commands.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings