AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/lib/experiment/claude-subprocess.js` launches `claude` with `--dangerously-skip-permissions`.
- Normal interactive startup with credentials and Claude harness enabled creates Herald-managed Claude config and skills.
- The CLI can invoke `npm install -g @herald-ai/herald` only after an in-app upgrade request.
- `dist/lib/grafana-install.js` can install Grafana MCP through a user-facing tool flow.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook executes for consumers.
- `bin/herald.js` only imports `dist/main.js`; import does not fetch or execute a payload.
- Claude files are confined to Herald-owned `~/.herald/.claude*`, while explicit integrations are dispatched by `herald integrate`.
- Configured network defaults target Herald/RunLLM services; no covert exfiltration path was found.
- No eval/vm, remote code download-and-execute, destructive filesystem behavior, or foreign agent-config overwrite was found.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/screens/Investigation.jsView on unpkg · L2Package source references dynamic require/import behavior.
bin/herald.jsView on unpkg · L5Package source invokes a package manager install command at runtime.
dist/main.jsView on unpkg · L325This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/lib/experiment/claude-subprocess.jsView on unpkg