registry  /  @hogsend/cli  /  0.39.0

@hogsend/cli@0.39.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package can install first-party Claude Code skills into a consumer project when the user runs CLI skill/upgrade commands. No install-time mutation, exfiltration, or remote payload execution was confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
explicit `hogsend skills add` or `hogsend upgrade` command
Impact
User project agent guidance may be overwritten/refreshed by package-provided skills.
Mechanism
first-party bundled agent skill copy into .claude
Rationale
Source inspection shows real agent-extension writes, but they are first-party and user-invoked, with no npm lifecycle hook or concrete malicious chain. Warn rather than block under the install control surface policy.
Evidence
package.jsonsrc/bin.tssrc/commands/skills.tssrc/commands/upgrade.tssrc/lib/skills.tssrc/lib/http.tssrc/lib/connect-flow.tssrc/commands/dev.tssrc/lib/setup-steps.ts.claude/skills/<skill>.claude/.hogsend-skills.json.env

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/commands/skills.ts copies bundled skills into ./.claude/skills on explicit `hogsend skills add`.
  • src/commands/upgrade.ts refreshes .claude skills while upgrading @hogsend deps, after prompt or --json/--yes.
  • src/lib/skills.ts uses cpSync/writeFileSync to create .claude/skills and .claude/.hogsend-skills.json.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • src/bin.ts only dispatches user-invoked CLI commands; no import-time command execution found.
  • src/lib/http.ts sends requests to user-configured Hogsend baseUrl with bearer auth for CLI API operations.
  • src/lib/connect-flow.ts stores PostHog OAuth tokens only to the configured Hogsend instance admin endpoint.
  • src/commands/dev.ts/setup.ts child_process usage runs expected local dev/setup commands in user-selected cwd.
  • High-entropy blobs are font/static studio assets, not executable payloads.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 2.03 MB of source, external domains: 127.0.0.1, ap.www.namecheap.com, api-eu.customer.io, api.cloudflare.com, api.customer.io, api.example.com, api.vercel.com, app.loops.so, chatgpt.com, claude.ai, console.aws.amazon.com, dash.cloudflare.com, dcc.godaddy.com, discord.com, discord.gg, docs.hogsend.com, domains.google.com, eu.posthog.com, github.com, hatchet-lite-production.up.railway.app, hogsend.com, json-schema.org, porkbun.com, posthog.example.com, react.dev, us.posthog.com, vercel.com, www.perplexity.ai, www.w3.org, x.com

Source & flagged code

17 flagged · loading source
dist/bin.jsView file
54try { L55: res = await fetch(url, { L56: method, L57: headers, L58: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0 L59: }); ... L63: } L64: const text4 = await res.text(); L65: let parsed; ... L171: const isJson = opts.json; L172: const interactive = !isJson && Boolean(process.stdout.isTTY); L173: return {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/bin.jsView on unpkg · L54
54Trigger-reachable chain: manifest.exports -> dist/bin.js L54: try { L55: res = await fetch(url, { L56: method, L57: headers, L58: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0 L59: }); ... L63: } L64: const text4 = await res.text(); L65: let parsed; ... L171: const isJson = opts.json; L172: const interactive = !isJson && Boolean(process.stdout.isTTY); L173: return {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin.jsView on unpkg · L54
477// src/lib/browser.ts L478: import { spawn } from "child_process"; L479: function openBrowser(url) {
High
Child Process

Package source references child process execution.

dist/bin.jsView on unpkg · L477
2988try { L2989: const require2 = createRequire(import.meta.url); L2990: const pkg = require2("../package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin.jsView on unpkg · L2988
54try { L55: res = await fetch(url, { L56: method, L57: headers, L58: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0 L59: }); ... L63: } L64: const text4 = await res.text(); L65: let parsed; ... L171: const isJson = opts.json; L172: const interactive = !isJson && Boolean(process.stdout.isTTY); L173: return {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin.jsView on unpkg · L54
src/commands/dev.tsView file
211`not a Hogsend app — @hogsend/engine is not a dependency in ${pkgPath}. ` + L212: "Scaffold one with pnpm dlx create-hogsend@latest, or pass --cwd <dir>.", L213: ); ... L221: try { L222: const result = spawnSync("hatchet", ["--version"], { stdio: "ignore" }); L223: return !result.error && result.status === 0;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/commands/dev.tsView on unpkg · L211
studio/assets/inter-greek-wght-normal-CkhJZR-_.woff2View file
path = studio/assets/inter-greek-wght-normal-CkhJZR-_.woff2 kind = high_entropy_blob sizeBytes = 18996 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

studio/assets/inter-greek-wght-normal-CkhJZR-_.woff2View on unpkg
src/__tests__/hatchet-token.test.tsView file
80patternName = generic_password severity = medium line = 80 matchedText = password...!!",
Medium
Secret Pattern

Hardcoded password in src/__tests__/hatchet-token.test.ts

src/__tests__/hatchet-token.test.tsView on unpkg · L80
114patternName = generic_password severity = medium line = 114 matchedText = password...!!",
Medium
Secret Pattern

Hardcoded password in src/__tests__/hatchet-token.test.ts

src/__tests__/hatchet-token.test.tsView on unpkg · L114
137patternName = generic_password severity = medium line = 137 matchedText = password...!!",
Medium
Secret Pattern

Hardcoded password in src/__tests__/hatchet-token.test.ts

src/__tests__/hatchet-token.test.tsView on unpkg · L137
src/__tests__/admin-recovery.test.tsView file
116patternName = generic_password severity = medium line = 116 matchedText = password...ry",
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L116
140patternName = generic_password severity = medium line = 140 matchedText = await re... });
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L140
142patternName = generic_password severity = medium line = 142 matchedText = recovery... }),
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L142
149patternName = generic_password severity = medium line = 149 matchedText = await re... });
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L149
154patternName = generic_password severity = medium line = 154 matchedText = password...56",
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L154
172patternName = generic_password severity = medium line = 172 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L172
180patternName = generic_password severity = medium line = 180 matchedText = await re... });
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L180

Findings

2 Critical4 High14 Medium6 Low
CriticalCommand Output Exfiltrationdist/bin.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin.js
HighChild Processdist/bin.js
HighShell
HighRuntime Package Installsrc/commands/dev.ts
HighShips High Entropy Blobstudio/assets/inter-greek-wght-normal-CkhJZR-_.woff2
MediumDynamic Requiredist/bin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/__tests__/hatchet-token.test.ts
MediumSecret Patternsrc/__tests__/hatchet-token.test.ts
MediumSecret Patternsrc/__tests__/hatchet-token.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
LowScripts Present
LowWeak Cryptodist/bin.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings