registry  /  @herald-ai/herald  /  0.1.45

@herald-ai/herald@0.1.45

AI DevOps agent for developers working from the terminal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `herald` with stored credentials and Claude harness enabled, then submits an investigation/query.
Impact
A prompted Claude subprocess may execute local investigation actions with broad permissions; this is a dangerous, package-aligned agent capability rather than a confirmed malicious chain.
Mechanism
Claude subprocess launched with permission bypass and Herald-managed agent configuration.
Rationale
Source inspection does not support a malicious verdict, but the permission-bypassing Claude subprocess is a real high-impact agent capability. Its activation is user-run and package-aligned, so it warrants a warning rather than a publication block.
Evidence
package.jsonbin/herald.jsdist/main.jsdist/lib/experiment/claude-subprocess.jsdist/lib/claude-integration.jsdist/lib/grafana-install.js~/.herald/.claude~/.herald/.claude/skills~/.config/herald/credentials.json
Network endpoints4
gateway.runllm.comapp.herald.devapi.herald.devregistry.npmjs.org/@herald-ai/herald/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/lib/experiment/claude-subprocess.js` launches `claude` with `--dangerously-skip-permissions`.
  • Normal interactive startup with credentials and Claude harness enabled creates Herald-managed Claude config and skills.
  • The CLI can invoke `npm install -g @herald-ai/herald` only after an in-app upgrade request.
  • `dist/lib/grafana-install.js` can install Grafana MCP through a user-facing tool flow.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook executes for consumers.
  • `bin/herald.js` only imports `dist/main.js`; import does not fetch or execute a payload.
  • Claude files are confined to Herald-owned `~/.herald/.claude*`, while explicit integrations are dispatched by `herald integrate`.
  • Configured network defaults target Herald/RunLLM services; no covert exfiltration path was found.
  • No eval/vm, remote code download-and-execute, destructive filesystem behavior, or foreign agent-config overwrite was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 217 file(s), 1.32 MB of source, external domains: 127.0.0.1, api.eu.newrelic.com, api.githubcopilot.com, api.herald.dev, api.motherduck.com, api.newrelic.com, api.supabase.com, app.herald.dev, astral.sh, clouderrorreporting.googleapis.com, console.cloud.google.com, docs.astral.sh, gateway.runllm.com, grafana.example.com, herald.dev, mcp.eu.newrelic.com, mcp.honeycomb.io, mcp.newrelic.com, mcp.render.com, monitoring.googleapis.com, my-deployment.kb.us-central1.gcp.elastic.cloud, nodejs.org, one.eu.newrelic.com, one.newrelic.com, portal.azure.com, registry.npmjs.org, splunk.example.com, supabase.com, www.googleapis.com

Source & flagged code

5 flagged · loading source
dist/screens/Investigation.jsView file
2import { useCallback, useEffect, useMemo, useRef, useState } from "react"; L3: import { spawn } from "node:child_process"; L4: import { Box, Static, Text, useApp, useInput } from "ink";
High
Child Process

Package source references child process execution.

dist/screens/Investigation.jsView on unpkg · L2
319const startMs = Date.now(); L320: const proc = spawn(cmd, { shell: true }); L321: shellProcRef.current = proc;
High
Shell

Package source references shell execution.

dist/screens/Investigation.jsView on unpkg · L319
bin/herald.jsView file
5const __dirname = dirname(fileURLToPath(import.meta.url)); L6: await import(resolve(__dirname, '../dist/main.js'));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/herald.jsView on unpkg · L5
dist/main.jsView file
325if (wasUpgradeRequested()) { L326: const { spawnSync } = await import("node:child_process"); L327: process.stdout.write("\nRunning: npm install -g @herald-ai/herald\n\n"); L328: const result = spawnSync("npm", ["install", "-g", "@herald-ai/herald"], { stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/main.jsView on unpkg · L325
dist/lib/experiment/claude-subprocess.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @herald-ai/herald@0.1.44 matchedIdentity = npm:QGhlcmFsZC1haS9oZXJhbGQ:0.1.44 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/experiment/claude-subprocess.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/experiment/claude-subprocess.js
HighChild Processdist/screens/Investigation.js
HighShelldist/screens/Investigation.js
HighRuntime Package Installdist/main.js
MediumDynamic Requirebin/herald.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings