AI Security Review
scanned 7m ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `agentflare init --agent ...` or configures and invokes notification features.
Impact
Can alter agent behavior and send chosen messages through user-configured third-party bot accounts.
Mechanism
Explicit AI-agent hook setup and configured outbound bot messaging.
Rationale
The scanner's native-binary and webhook indicators correspond to documented CLI capabilities rather than confirmed malware. Because the CLI can explicitly alter AI-agent control surfaces and invoke a remote installer, retain a warning verdict rather than marking it clean.
Evidence
package.jsonREADME.mdbin/agentflare
Network endpoints4
api.telegram.org/botdiscord.com/api/v10/channels/slack.com/api/chat.postMessageraw.githubusercontent.com/yvgude/lean-ctx/main/install.sh
Decision evidence
public snapshotAI called this Suspicious at 83.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/agentflare` is a stripped native ELF and imports process, filesystem, and socket APIs.
- Binary strings show `agentflare init --agent` wiring `~/.claude/settings.json`, `.cursor/hooks.json`, and Codex hook/config files.
- Binary contains Telegram, Discord, and Slack message endpoints plus configured bot-token names.
- `README.md` documents that `init` writes host-agent hooks/configuration and can install lean-ctx via a remote installer.
Evidence against
- `package.json` has no preinstall, install, postinstall, prepare, or other lifecycle script.
- The documented and embedded config writes are triggered by explicit `agentflare init --agent ...` commands, not installation.
- Embedded messages say existing hook files are skipped/not overwritten and include cleanup paths.
- No credential-collection routine, unknown collector host, stealth persistence, or automatic exfiltration was confirmed from package files.
Behavioral surface
Source & flagged code
2 flagged · loading sourcebin/agentflareView file
•path = bin/agentflare
kind = binary_string_ioc
sizeBytes = 17919992
magicHex = [redacted]
matchedPrintableString = n).
- list
artifact_list, honoring --session.
- get <id>
artifact_get, honoring --version.
- delete <id>
artifact_delete.
after the call, report the resulting url (or listing/content) to the user.
exit
the last
days (
http error:
https://api.telegram.org/bot
/sendmessage
slack rejected the message:
auto-opened on `item done` for
rm
/home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/cipher-0.4.4/src/stream_core.rs
api call failed:
' failed:
.ori
Critical
Binary String Ioc
Native or WebAssembly artifact printable strings contain known collector or webhook infrastructure.
bin/agentflareView on unpkg•path = bin/agentflare
kind = native_binary
sizeBytes = 17919992
magicHex = [redacted]
Medium
Findings
1 Critical2 Medium
CriticalBinary String Iocbin/agentflare
MediumShips Native Binarybin/agentflare
MediumStructural Risk Force Deep Review