AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package exposes explicit agent-integration features that can run local agent CLIs, install Claude Code hooks, and bridge user-authorized Telegram messages to configured brains.
Decision evidence
public snapshot- dist/cli.js defines explicit `holt hook install` writing Holt commands into Claude Code settings hooks.
- dist/cli.js `holt telegram` can long-poll Telegram, run configured LLM/agent tasks, and send replies to Telegram.
- dist/cli.js can spawn configured agent CLIs (`claude`, `codex`, `gemini`) with user prompts.
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Dangerous paths are user-invoked CLI commands, not install-time or import-time execution.
- Telegram setup requires pasted bot token and allowed chat id; bot ignores other chats.
- Claude hooks are guarded by trusted-folder and existing `.holt/memory` checks at runtime.
- Network endpoints are package-aligned: Telegram, LLM APIs, local Ollama.
- No evidence of credential harvesting, stealth persistence, remote payload loading, or destructive behavior.
Source & flagged code
5 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli.jsView on unpkg · L6951A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L6951A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L4667Source writes installer persistence such as shell profile or service configuration.
dist/cli.jsView on unpkg · L13