AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a Canon messaging core library whose network, local profile, RTDB, and git-worktree helpers are exposed as user-invoked APIs rather than install-time or import-time behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User application imports and explicitly calls Canon client, stream, registration, local profile, or host environment helper APIs.
Impact
Caller-directed Canon messaging/runtime operations; no evidence of unconsented exfiltration, persistence, destructive action, or install-time mutation.
Mechanism
Package-aligned REST/SSE/RTDB client and local runtime state helpers.
Rationale
Static inspection found suspicious primitives, but they match the package's Canon client/runtime purpose and are activated by explicit API calls. With no lifecycle hook, import-time execution chain, credential harvesting, arbitrary payload execution, or foreign AI-agent control mutation, the package should be marked clean.
Evidence
package.jsondist/constants.jsdist/index.jsdist/browser.jsdist/client.jsdist/stream.jsdist/rtdb-rest.jsdist/agent-profiles.jsdist/execution-environment.jsdist/local-runtime-catalog.jsdist/control-poller.jsdist/registration.js
Network endpoints4
api-6m6mlelskq-uc.a.run.appcanon-agent-stream-195218560334.us-central1.run.appproject-007a8e71-ba01-49e6-8aa-default-rtdb.firebaseio.comidentitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/constants.js embeds Canon/Firebase service URLs and a Firebase web API key.
- dist/client.js, dist/stream.js, and dist/rtdb-rest.js perform authenticated network calls when library APIs are invoked.
- dist/execution-environment.js can run git via spawnSync and write local Canon workspace state when host helpers are called.
- dist/agent-profiles.js reads/writes ~/.canon profiles and locks when explicit profile helpers are used.
Evidence against
- package.json has no preinstall/install/postinstall hooks; only prepack/build scripts are developer packaging flows.
- dist/index.js, dist/browser.js, dist/host.js, and dist/local.js are barrel exports with no import-time attack behavior observed.
- Network endpoints are package-aligned Canon API/stream/RTDB/Firebase token exchange helpers, not arbitrary exfiltration sinks.
- No credential harvesting beyond caller-provided Canon API keys/profile config; secret redaction utilities are defensive.
- No eval/vm/Function, native binary loading, persistence mechanism, destructive filesystem behavior, or AI-agent control-surface install mutation found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/constants.jsView file
4patternName = google_api_key
severity = high
line = 4
matchedText = export c...lE';
High
4patternName = google_api_key
severity = high
line = 4
matchedText = export c...lE';
High
dist/constants.d.tsView file
4patternName = google_api_key
severity = high
line = 4
matchedText = export d...lE";
High
Findings
3 High2 Medium4 Low
HighHigh Secretdist/constants.js
HighSecret Patterndist/constants.js
HighSecret Patterndist/constants.d.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings