registry  /  @herald-ai/herald  /  0.1.44

@herald-ai/herald@0.1.44

AI DevOps agent for developers working from the terminal

AI Security Review

scanned 52m ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a DevOps AI CLI with user/runtime-triggered local tool execution and optional Claude/Codex integration. The main unresolved risk is first-party agent extension setup and remote Herald skills being written into Herald-managed agent skill directories, not install-time malware.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running herald with credentials and Claude harness enabled, or explicit herald integrate commands.
Impact
Could expand local AI-agent capabilities and run configured infrastructure tools during user investigations; no confirmed unconsented install-time compromise.
Mechanism
first-party agent skill/config installation plus Claude subprocess with skipped permissions
Rationale
Source inspection confirms dangerous AI-agent integration primitives, but they are first-party, runtime or explicit-command behavior rather than unconsented npm install hooks or covert exfiltration. Warn rather than block because the remaining risk is agent extension lifecycle/capability expansion, not concrete malicious execution.
Evidence
package.jsonbin/herald.jsdist/main.jsdist/lib/experiment/claude-subprocess.jsdist/lib/claude-integration.jsdist/lib/codex-integration.jsdist/lib/dynamic-skills-cache.jsdist/screens/Investigation.js~/.config/herald/credentials.json~/.herald/config.json~/.herald/.claude/skills/*~/.herald/.claude/.claude.json~/.herald/.claude-enhanced/skills/*~/.claude/skills/*~/.codex/config.toml~/.agents/skills/*
Network endpoints3
gateway.runllm.comapi.herald.devapp.herald.dev

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/lib/experiment/claude-subprocess.js runs Claude via sh -c with --dangerously-skip-permissions.
  • dist/main.js calls setupManagedClaudeConfigDir/installManagedClaudeSkills and syncDynamicSkills on startup when credentials and Claude harness are enabled.
  • dist/lib/dynamic-skills-cache.js fetches skills from the Herald API and writes SKILL.md files into Herald-managed Claude skills dirs.
  • dist/lib/experiment/claude-subprocess.js copies ~/.claude.json into ~/.herald Claude config dirs and can merge Herald MCP servers into Claude project config.
  • dist/screens/Investigation.js exposes shell command execution via spawn(cmd,{shell:true}) for interactive/user-driven commands.
Evidence against
  • package.json has no preinstall/install/postinstall hook; prepublishOnly is publish-time build only.
  • bin/herald.js only imports dist/main.js as the CLI entrypoint.
  • Network endpoints are package-aligned Herald/RunLLM API URLs or documented provider integrations.
  • Credential reads are from Herald's own ~/.config/herald/credentials.json and used for authenticated Herald API calls.
  • Runtime npm install is only an explicit self-upgrade path after wasUpgradeRequested().
  • No evidence of credential harvesting, stealth persistence, destructive behavior, or install-time foreign agent mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 217 file(s), 1.32 MB of source, external domains: 127.0.0.1, api.eu.newrelic.com, api.githubcopilot.com, api.herald.dev, api.motherduck.com, api.newrelic.com, api.supabase.com, app.herald.dev, astral.sh, clouderrorreporting.googleapis.com, console.cloud.google.com, docs.astral.sh, gateway.runllm.com, grafana.example.com, herald.dev, mcp.eu.newrelic.com, mcp.honeycomb.io, mcp.newrelic.com, mcp.render.com, monitoring.googleapis.com, my-deployment.kb.us-central1.gcp.elastic.cloud, nodejs.org, one.eu.newrelic.com, one.newrelic.com, portal.azure.com, registry.npmjs.org, splunk.example.com, supabase.com, www.googleapis.com

Source & flagged code

5 flagged · loading source
dist/screens/Investigation.jsView file
2import { useCallback, useEffect, useMemo, useRef, useState } from "react"; L3: import { spawn } from "node:child_process"; L4: import { Box, Static, Text, useApp, useInput } from "ink";
High
Child Process

Package source references child process execution.

dist/screens/Investigation.jsView on unpkg · L2
295const startMs = Date.now(); L296: const proc = spawn(cmd, { shell: true }); L297: shellProcRef.current = proc;
High
Shell

Package source references shell execution.

dist/screens/Investigation.jsView on unpkg · L295
bin/herald.jsView file
5const __dirname = dirname(fileURLToPath(import.meta.url)); L6: await import(resolve(__dirname, '../dist/main.js'));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/herald.jsView on unpkg · L5
dist/main.jsView file
325if (wasUpgradeRequested()) { L326: const { spawnSync } = await import("node:child_process"); L327: process.stdout.write("\nRunning: npm install -g @herald-ai/herald\n\n"); L328: const result = spawnSync("npm", ["install", "-g", "@herald-ai/herald"], { stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/main.jsView on unpkg · L325
dist/lib/experiment/claude-subprocess.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @herald-ai/herald@0.1.41 matchedIdentity = npm:QGhlcmFsZC1haS9oZXJhbGQ:0.1.41 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/experiment/claude-subprocess.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/experiment/claude-subprocess.js
HighChild Processdist/screens/Investigation.js
HighShelldist/screens/Investigation.js
HighRuntime Package Installdist/main.js
MediumDynamic Requirebin/herald.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings