AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `trellis init` with platform options such as `--codex` or `--copilot`, or invokes channel collaboration.
Impact
Installed hooks and agents may affect later AI-tool sessions in the initialized project.
Mechanism
Writes platform-specific agent assets and optionally runs configured local/CLI AI backends.
Rationale
The package performs broad AI-agent project configuration on explicit user commands, which warrants a warning under the agent-control policy. Source inspection found no unconsented install-time mutation, exfiltration, remote payload execution, or stealth behavior.
Evidence
package.jsondist/cli/index.jsdist/commands/init.jsdist/configurators/codex.jsdist/configurators/copilot.jsdist/commands/channel/adapters/antigravity.jsdist/utils/template-fetcher.js.agents/skills.codex/skills.codex/agents.codex/hooks.codex/hooks.json.codex/config.toml.github/copilot/hooks.github/copilot/hooks.json.github/agents.github/prompts.github/hooks/trellis.json
Network endpoints2
raw.githubusercontent.com/mindfold-ai/marketplace/main/index.json127.0.0.1:8317/v1/chat/completions
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/configurators/codex.js` writes `.codex` hooks, agents, skills, and config.
- `dist/configurators/copilot.js` writes Copilot hooks, agents, prompts, and instructions.
- `dist/commands/channel/adapters/antigravity.js` can send user turns to a configured CLI/proxy.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- CLI mutations are reached through explicit `trellis init` options.
- Default template download targets the package-aligned Mindfold marketplace.
- No credential harvesting, stealth persistence, obfuscated payload, or destructive install-time behavior found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcedist/templates/copilot/hooks/session-start.pyView file
•path = [redacted]-start.py
kind = build_helper
sizeBytes = 19064
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
dist/templates/copilot/hooks/session-start.pyView on unpkgdist/commands/channel/adapters/antigravity.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @decade666/trellis@0.6.10
matchedIdentity = npm:QGRlY2FkZTY2Ni90cmVsbGlz:0.6.10
similarity = 0.991
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands/channel/adapters/antigravity.jsView on unpkgFindings
1 High4 Medium6 Low
HighPrevious Version Dangerous Deltadist/commands/channel/adapters/antigravity.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/templates/copilot/hooks/session-start.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License