AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. An explicit `agentcall setup` can modify Claude/Codex instruction files and install a persistent per-user macOS listener. The listener connects to the package relay and launches a sandbox-wrapped local coding agent for permitted calls.
Static reason
No blocking static signals were detected.
Trigger
User runs `agentcall setup` without `--no-snippet` or `--skip-launchd`, then the LaunchAgent runs `agentcall listen`.
Impact
Creates user-level persistence and permits remote callers authorized by local policy to submit work to a local coding agent.
Mechanism
Explicit agent-extension setup plus launchd-backed relay listener
Rationale
Source establishes an explicit user-command agent extension and persistent listener, warranting a warning under the stated policy. No concrete malicious chain or unconsented lifecycle mutation was found.
Evidence
package.jsonbin/agentcall.jsdist/index.jsdist/setup.jsdist/launchd.jsdist/listener.jsdist/runner.jsdist/snippet.jsdist/srt.js~/.agentcall/config.json~/.agentcall/srt.json~/Library/LaunchAgents/tech.benree.agentcall.listener.plist~/.claude/CLAUDE.md~/.codex/AGENTS.md~/AgentCall/public~/AgentCall/tasks
Network endpoints1
agentcall.benree.tech
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/setup.js` appends instructions to `~/.claude/CLAUDE.md` and `~/.codex/AGENTS.md` on explicit setup.
- `dist/setup.js` invokes `installLaunchAgent`; `dist/launchd.js` writes a persistent user LaunchAgent plist.
- `dist/listener.js` accepts relay-delivered calls and `dist/runner.js` spawns the configured Claude/Codex agent.
Evidence against
- `package.json` declares no preinstall, install, postinstall, or prepare lifecycle hook.
- `bin/agentcall.js` imports the CLI only when the user invokes `agentcall`.
- Network use is package-aligned relay registration, cards, calls, and listener WebSockets; no unrelated endpoint was found.
- `dist/config.js` stores its relay token with mode `0600`; `dist/srt.js` configures sandbox read/write restrictions.
- No eval/vm/native payload loading, credential harvesting, destructive filesystem behavior, or hidden shell-profile mutation was found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/launchd.jsView file
1import { execFileSync } from "node:child_process";
L2: import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
...
L50: try {
L51: execCmd(["launchctl", "bootout", `gui/${uid()}/${LAUNCH_LABEL}`]);
L52: }
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/launchd.jsView on unpkg · L1Findings
3 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/launchd.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings