AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `coreframe upgrade check-skill-current --apply` or enables managed development and requests a generated commit message.
Impact
Can alter the behavior of the project-local Coreframe upgrade skill; no unconsented install-time mutation is established.
Mechanism
Explicit project-local AI skill replacement and user-invoked Codex subprocess.
Rationale
No concrete malicious installation, stealth persistence, credential exfiltration, or remote payload chain was found. The explicit agent-skill mutation is a real capability that merits a warning under the firewall policy.
Evidence
package.jsondist/coreframe.jsdist/upgrade/check-skill-current.jsdist/managed-dev.jsdist/dev.js.agents/skills/coreframe-upgrade/SKILL.md.git/coreframe-managed-dev.lock.git/coreframe-managed-dev/
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/upgrade/check-skill-current.js` writes `.agents/skills/coreframe-upgrade/SKILL.md` when `apply` is true.
- `dist/coreframe.js` exposes this mutation as `coreframe upgrade check-skill-current --apply`.
- `dist/managed-dev.js` invokes `codex exec` with working-tree content to generate a commit message during managed development.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- The agent-skill write is an explicit, documented `--apply` command, not install-time behavior.
- The Codex subprocess uses `--ephemeral`, `--ignore-user-config`, and `--sandbox read-only`.
- No package code writes broad home-directory or foreign AI-agent configuration paths.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/managed-dev.jsView file
1import{managedDevTokenEnv as e,managedDevUrlEnv as t}from"./managed-dev-protocol.js";import{createRequire as n}from"node:module";import{createHash as r,randomBytes as i}from"node:c...
L2: `),fingerprint:o.digest(`hex`),tracked:t.length>0,untracked:a}}async function ae(e,t,n){let{stdout:r}=await m(`codex`,[`exec`,`--ephemeral`,`--ignore-user-config`,`--sandbox`,`read...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/managed-dev.jsView on unpkg · L1dist/deploy.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @coreframe/scripts@0.1.16
matchedIdentity = npm:QGNvcmVmcmFtZS9zY3JpcHRz:0.1.16
similarity = 0.875
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/deploy.jsView on unpkgFindings
1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/deploy.js
MediumDynamic Requiredist/managed-dev.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License