AI Security Review
scanned 1h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit execution of `agentflare init --agent ...` or its MCP messaging tools.
Impact
Can alter configured agent hook files and transmit user-selected messages to configured chat platforms.
Mechanism
Explicit agent-config mutation and bot-token-backed outbound chat messaging.
Rationale
Source inspection contradicts the scanner's malicious conclusion because there are no lifecycle hooks and the configuration behavior is explicitly user-invoked. The native binary still presents a documented AI-agent configuration and outbound messaging capability that warrants a warning rather than a block.
Evidence
package.jsonREADME.mdbin/agentflare
Network endpoints2
api.telegram.org/botdiscord.com/api/v10/channels/
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `README.md` documents `agentflare init --agent` writing Claude and Cursor hook/config files.
- `bin/agentflare` contains MCP `channel_send` support with stored bot-token messaging.
- `bin/agentflare` contains Telegram and Discord API endpoint strings.
- Package distributes a stripped native executable, limiting source-level verification.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `package.json` exposes the binary only through the user-invoked `agentflare` CLI.
- `README.md` describes configuration writes as explicit `init --agent` actions.
- No package file showed credential harvesting, stealth persistence, or unconsented install-time execution.
Behavioral surface
Source & flagged code
2 flagged · loading sourcebin/agentflareView file
•path = bin/agentflare
kind = binary_string_ioc
sizeBytes = 17919160
magicHex = [redacted]
matchedPrintableString = nor --base-version (base_version).
- list
artifact_list, honoring --session.
- get <id>
artifact_get, honoring --version.
- delete <id>
artifact_delete.
after the call, report the resulting url (or listing/content) to the user.
exit
https://api.telegram.org/bot
/sendmessage
slack rejected the message:
auto-opened on `item done` for
the last
days (
agentflare-
http error:
rm
/home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/cipher-0.4.4/src/strea
Critical
Binary String Ioc
Native or WebAssembly artifact printable strings contain known collector or webhook infrastructure.
bin/agentflareView on unpkg•path = bin/agentflare
kind = native_binary
sizeBytes = 17919160
magicHex = [redacted]
Medium
Findings
1 Critical2 Medium
CriticalBinary String Iocbin/agentflare
MediumShips Native Binarybin/agentflare
MediumStructural Risk Force Deep Review