registry  /  @herald-ai/herald  /  0.1.46

@herald-ai/herald@0.1.46

AI DevOps agent for developers working from the terminal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Interactive startup with Herald credentials can download dynamic skill text and persist it as Claude skill files in a Herald-managed directory. Explicit integration commands can install Herald skills into supported agent directories. No install-time attack surface is established.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run the interactive CLI with credentials and Claude-harness mode enabled; or explicitly run `herald integrate <target>`.
Impact
A remote service controls persisted AI-agent skill instructions within Herald-managed configuration; explicit integrations add skills to selected agent environments.
Mechanism
Authenticated remote skill synchronization and agent-skill installation.
Rationale
The static malicious verdict is not supported: no install hook or concrete malicious chain was found. The automatic remote-to-agent-skill synchronization is a real first-party agent-extension lifecycle risk and warrants a warning.
Evidence
package.jsonbin/herald.jsdist/main.jsdist/lib/dynamic-skills-cache.jsdist/lib/api.jsdist/lib/claude-integration.jsdist/lib/cursor-integration.jsdist/lib/codex-integration.jsdist/lib/experiment/claude-subprocess.jsdist/screens/Investigation.js
Network endpoints1
api.herald.dev/api/cli/skills

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/main.js` auto-syncs server-provided dynamic skills after interactive startup when credentials exist.
  • `dist/lib/dynamic-skills-cache.js` fetches `/api/cli/skills` and writes returned content as `SKILL.md` under Herald-managed Claude skill directories.
  • `dist/lib/claude-integration.js` and `dist/lib/experiment/claude-subprocess.js` create Herald-owned Claude config/skill directories and can launch the Claude CLI.
  • `dist/screens/Investigation.js` executes shell commands only for user input prefixed with `!`.
  • `dist/main.js` runs `npm install -g @herald-ai/herald` only after an in-app upgrade request.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `bin/herald.js` only resolves and imports `dist/main.js`; no hidden loader behavior found.
  • Global Cursor, Claude, and Codex skill writes are behind explicit `herald integrate <target>` commands.
  • Managed Claude files are placed below Herald's own configuration directory, not written into the user's global Claude configuration.
  • No source evidence of credential harvesting, covert exfiltration, destructive actions, or install-time foreign AI-agent control-surface mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 221 file(s), 1.33 MB of source, external domains: 127.0.0.1, api.eu.newrelic.com, api.githubcopilot.com, api.herald.dev, api.motherduck.com, api.newrelic.com, api.supabase.com, app.herald.dev, astral.sh, clouderrorreporting.googleapis.com, console.cloud.google.com, docs.astral.sh, gateway.runllm.com, grafana.acme.internal, grafana.example.com, herald.dev, mcp.eu.newrelic.com, mcp.honeycomb.io, mcp.newrelic.com, mcp.render.com, monitoring.googleapis.com, my-deployment.kb.us-central1.gcp.elastic.cloud, nodejs.org, one.eu.newrelic.com, one.newrelic.com, portal.azure.com, registry.npmjs.org, splunk.example.com, supabase.com, www.googleapis.com

Source & flagged code

5 flagged · loading source
dist/screens/Investigation.jsView file
2import { useCallback, useEffect, useMemo, useRef, useState } from "react"; L3: import { spawn } from "node:child_process"; L4: import { Box, Text, useApp, useInput } from "ink";
High
Child Process

Package source references child process execution.

dist/screens/Investigation.jsView on unpkg · L2
339const startMs = Date.now(); L340: const proc = spawn(cmd, { shell: true }); L341: shellProcRef.current = proc;
High
Shell

Package source references shell execution.

dist/screens/Investigation.jsView on unpkg · L339
bin/herald.jsView file
5const __dirname = dirname(fileURLToPath(import.meta.url)); L6: await import(resolve(__dirname, '../dist/main.js'));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/herald.jsView on unpkg · L5
dist/main.jsView file
336if (wasUpgradeRequested()) { L337: const { spawnSync } = await import("node:child_process"); L338: process.stdout.write("\nRunning: npm install -g @herald-ai/herald\n\n"); L339: const result = spawnSync("npm", ["install", "-g", "@herald-ai/herald"], { stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/main.jsView on unpkg · L336
dist/lib/experiment/claude-subprocess.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @herald-ai/herald@0.1.45 matchedIdentity = npm:QGhlcmFsZC1haS9oZXJhbGQ:0.1.45 similarity = 0.808 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/experiment/claude-subprocess.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/experiment/claude-subprocess.js
HighChild Processdist/screens/Investigation.js
HighShelldist/screens/Investigation.js
HighRuntime Package Installdist/main.js
MediumDynamic Requirebin/herald.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings