registry  /  @dimora/atrium-host  /  0.2.0

@dimora/atrium-host@0.2.0

Atrium host as a library. `@dimora/atrium-host` (index) is the vscode-free composition (createAtriumHost: registry + the three channels + render dispatch). `@dimora/atrium-host/activate` (activateAtriumHost) is the full VS Code host wiring — broker, dual-

AI Security Review

scanned 8h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User confirms setup or invokes trusted-workspace daemon/probe actions in the VS Code host.
Impact
Can persist Atrium-owned hooks in the opened workspace and run configured commands or launchd jobs after user interaction.
Mechanism
Trusted-workspace AI-agent hook setup and user-invoked command/daemon execution.
Rationale
This is not malicious code, but it has real explicit-user AI-agent configuration and execution capabilities. Per policy, that merits a warning rather than a clean verdict.
Evidence
package.jsondist/activate.js.claude/settings.json.atrium/hooks/atrium-record-dispatch.sh.atrium/hooks/atrium-register-thread.sh

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/activate.js` adds Claude Code hook commands to workspace `.claude/settings.json`.
  • It writes executable `.atrium/hooks/atrium-record-dispatch.sh` and `.atrium/hooks/atrium-register-thread.sh`.
  • Hook setup is restricted to trusted workspaces and requires a modal `Set up` confirmation.
  • The package can install launchd schedules only through trust-gated daemon intents.
  • Command probes execute configured shell commands only when enabled in a trusted workspace.
Evidence against
  • `package.json` has no npm lifecycle scripts.
  • No credential harvesting or external exfiltration endpoint was found.
  • Network server binds to loopback and requires a random Bearer token.
  • Dynamic Copilot SDK import and CLI lookup are package-aligned runtime integrations.
  • No install-time execution, hidden payload loading, or destructive broad file mutation was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 8 file(s), 1.39 MB of source, external domains: 127.0.0.1, github.com, json-schema.org, raw.githubusercontent.com, www.apple.com

Source & flagged code

3 flagged · loading source
dist/activate.cjsView file
7var __hasOwnProp = Object.prototype.hasOwnProperty; L8: var __commonJS = (cb, mod) => function __require() { L9: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/activate.cjsView on unpkg · L7
1226// validation function arguments L1227: data: new codegen_1.Name("data"), L1228: // data passed to validation function ... L2253: id = normalizeId(id); L2254: return resolver.resolve(baseId, id); L2255: } ... L3116: for (i = 0; i < input.length; i++) { L3117: code = input[i].charCodeAt(0); L3118: if (code === 48) { ... L11759: *next(token) { L11760: if (node_process.env.LOG_STREAM) L11761: console.dir(token, { depth: null });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/activate.cjsView on unpkg · L1226
2942sourceCode = this.opts.code.process(sourceCode, sch); L2943: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2944: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/activate.cjsView on unpkg · L2942

Findings

5 Medium5 Low
MediumDynamic Requiredist/activate.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/activate.cjs
MediumWildcard Dependency
LowScripts Present
LowEvaldist/activate.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
@dimora/atrium-host@0.2.0: Suspicious npm security report (Warn) | LPM Firewall