AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `coreframe upgrade check-skill-current --apply --target <git-ref>`.
Impact
Changes instructions available to the project's agent workflow; the user must explicitly request application.
Mechanism
Explicit CLI-mediated AI-agent skill replacement from Git content.
Rationale
Source inspection found an explicit-user-command mutation of a project AI-agent skill, which warrants a warning under the firewall policy. The package has no lifecycle hooks or concrete malicious chain.
Evidence
package.jsonbin/coreframe.jsdist/coreframe.jsdist/upgrade/check-skill-current.jsdist/upgrade/ensure-template-remote.js.agents/skills/coreframe-upgrade/SKILL.md.git/config
Network endpoints1
github.com/airlock-labs/coreframe.git
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/upgrade/check-skill-current.js` can overwrite `.agents/skills/coreframe-upgrade/SKILL.md`.
- The overwrite requires the explicit `upgrade check-skill-current --apply` CLI path.
- `dist/upgrade/ensure-template-remote.js` adds/fetches a fixed GitHub template remote.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- The agent-skill write is gated by `--apply` and warns users to reread it.
- No credential harvesting, exfiltration, stealth persistence, or remote code execution was found.
- `bin/coreframe.js` runs only when the user invokes the package CLI.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/managed-dev.jsView file
1import{managedDevTokenEnv as e,managedDevUrlEnv as t}from"./managed-dev-protocol.js";import{createRequire as n}from"node:module";import{createHash as r,randomBytes as i}from"node:c...
L2: `),fingerprint:o.digest(`hex`),tracked:t.length>0,untracked:a}}async function ae(e,t,n){let{stdout:r}=await m(`codex`,[`exec`,`--ephemeral`,`--ignore-user-config`,`--sandbox`,`read...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/managed-dev.jsView on unpkg · L1dist/deploy.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @coreframe/scripts@0.1.13
matchedIdentity = npm:QGNvcmVmcmFtZS9zY3JpcHRz:0.1.13
similarity = 0.444
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/deploy.jsView on unpkgFindings
1 High4 Medium5 Low
HighPrevious Version Dangerous Deltadist/deploy.js
MediumDynamic Requiredist/managed-dev.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License