AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface: risky primitives are documented, package-aligned, and user-invoked. There is no install-time execution, credential harvesting, hidden exfiltration, or unconsented AI-agent control-surface mutation.
Decision evidence
public snapshot- package.json has no npm lifecycle hooks; only bin holt -> dist/cli.js.
- dist/cli.js writes ~/.holt credentials, trust, schedules, telegram config, and workspace .holt files only from user-invoked commands.
- Telegram send/getUpdates are activated by holt telegram/setup/notify and restricted to configured allowedChatId.
- Shell/profile alias and launchd/cron persistence are explicit user commands: init alias prompt or schedule add.
- Brain CLI spawning and npm global installs occur during interactive init/login/run workflows, not install/import time.
- README.md documents MCP, Telegram, scheduling, credentials, and storage behavior.
Source & flagged code
4 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli.jsView on unpkg · L13A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L13Source writes installer persistence such as shell profile or service configuration.
dist/cli.jsView on unpkg · L13