AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `h1ve serve` and supplies the displayed pairing token to the permitted dashboard origin.
Impact
Can alter deployment secrets and configuration for accounts whose provider tokens are supplied.
Mechanism
Loopback HTTP agent applies supplied secrets to local env files or selected deployment-provider APIs.
Rationale
The package is not malicious by static inspection, but its explicit local-agent deployment-secret mutation capability warrants a warning classification under the dangerous-capability boundary.
Evidence
package.jsonREADME.mddist/index.js.env.local~/.config/h1ve/credentials.json
Network endpoints6
app.h1ve.orgapi.vercel.comapi.netlify.comapi.fly.io/graphqlbackboard.railway.com/graphql/v2api.render.com
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` exposes explicit `h1ve serve` routes that write/remove local environment variables.
- `/apply-deploy` and `/remove-deploy` accept supplied provider tokens and mutate deployment environment variables.
- The local agent supports Vercel, Netlify, Fly, Railway, and Render API calls.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `dist/index.js` runs child processes only for Git operations and opening the login browser.
- The agent binds to `127.0.0.1`, checks origin/host, and requires a random pairing token.
- No reads of shell history, SSH keys, browser data, or unrelated AI-agent configuration were found.
- `connect` writes only user-provided keys to a gitignored local env file and sends metadata without values.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
7// ../core/src/branch.ts
L8: import { execFile } from "child_process";
L9: import { promisify } from "util";
High
1242});
L1243: process.stdout.write(
L1244: `Agente H1VE ouvindo em http://127.0.0.1:${port}
L1245: Origem permitida: ${origin}
...
L1257: import { randomBytes as randomBytes2 } from "crypto";
L1258: import { execFile as execFile2 } from "child_process";
L1259: var LOGIN_TIMEOUT_MS = 3 * 60 * 1e3;
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L1242Findings
3 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings