AI Security Review
scanned 52m ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a DevOps AI CLI with user/runtime-triggered local tool execution and optional Claude/Codex integration. The main unresolved risk is first-party agent extension setup and remote Herald skills being written into Herald-managed agent skill directories, not install-time malware.
Decision evidence
public snapshot- dist/lib/experiment/claude-subprocess.js runs Claude via sh -c with --dangerously-skip-permissions.
- dist/main.js calls setupManagedClaudeConfigDir/installManagedClaudeSkills and syncDynamicSkills on startup when credentials and Claude harness are enabled.
- dist/lib/dynamic-skills-cache.js fetches skills from the Herald API and writes SKILL.md files into Herald-managed Claude skills dirs.
- dist/lib/experiment/claude-subprocess.js copies ~/.claude.json into ~/.herald Claude config dirs and can merge Herald MCP servers into Claude project config.
- dist/screens/Investigation.js exposes shell command execution via spawn(cmd,{shell:true}) for interactive/user-driven commands.
- package.json has no preinstall/install/postinstall hook; prepublishOnly is publish-time build only.
- bin/herald.js only imports dist/main.js as the CLI entrypoint.
- Network endpoints are package-aligned Herald/RunLLM API URLs or documented provider integrations.
- Credential reads are from Herald's own ~/.config/herald/credentials.json and used for authenticated Herald API calls.
- Runtime npm install is only an explicit self-upgrade path after wasUpgradeRequested().
- No evidence of credential harvesting, stealth persistence, destructive behavior, or install-time foreign agent mutation.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/screens/Investigation.jsView on unpkg · L2Package source references dynamic require/import behavior.
bin/herald.jsView on unpkg · L5Package source invokes a package manager install command at runtime.
dist/main.jsView on unpkg · L325This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/lib/experiment/claude-subprocess.jsView on unpkg