registry  /  @holt-os/holt  /  0.8.2

@holt-os/holt@0.8.2

An open-source personal agent OS: any LLM, private memory you can see and walk.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs holt init, holt telegram, holt schedule add, holt mcp, holt run, or related CLI commands.
Impact
A configured Telegram chat or scheduler can cause Holt to run selected AI brains against a trusted workspace and send/store outputs; misuse risk depends on user setup and trusted folder contents.
Mechanism
user-configured AI CLI/API execution, memory recall, Telegram long-poll control, and optional OS scheduler entries
Policy narrative
If a user explicitly configures Telegram or schedules, Holt can receive tasks remotely or run them on a timer, invoke configured AI CLIs/APIs with recalled workspace memory, and return or save outputs. The reviewed code does not trigger this during npm install and does not silently register foreign agent control surfaces.
Rationale
Source inspection confirms dangerous AI-agent orchestration capabilities, including Telegram-driven task execution and scheduler persistence, but these are package-aligned, documented, and activated by explicit CLI setup with trust/configuration gates. No covert install-time execution, exfiltration, or unconsented broad agent control-surface mutation was found.
Evidence
package.jsondist/cli.jsREADME.md~/.holt/trust.json~/.holt/credentials.json~/.holt/telegram.json~/.holt/schedules.json~/.holt/logs/<id>.log~/.zshrc~/.bashrc~/.profile~/Library/LaunchAgents/com.holt.<id>.plist<workspace>/.holt/config.json<workspace>/.holt/memory/turns.jsonl<workspace>/.holt/memory/facts.md<workspace>/.holt/skills/<name>/SKILL.md
Network endpoints5
api.telegram.orgapi.anthropic.com/v1/messagesapi.openai.com/v1/chat/completionsgenerativelanguage.googleapis.com/v1beta/models/127.0.0.1:11434

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli.js exposes user-invoked Telegram bot that long-polls api.telegram.org and passes messages from allowedChatId into runTask.
  • dist/cli.js runTask can spawn configured agent CLIs (claude/codex/gemini) or call LLM APIs with recalled local memory.
  • dist/cli.js schedule add writes launchd plist or crontab entries for recurring holt run tasks after interactive trust.
  • dist/cli.js mcp auto-trusts launch folder because MCP is non-interactive, but only when user runs holt mcp.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin entrypoint is dist/cli.js; behavior is activated by explicit holt subcommands, not import/install time.
  • Telegram setup requires user-pasted bot token and stores an allowed chat id before bot operation.
  • Shell alias, scheduler, MCP, and skills are documented in README.md and gated by user commands or trust prompts.
  • No evidence of credential harvesting beyond user-configured API keys stored for package use.
  • Network endpoints are package-aligned LLM, Telegram, and local Ollama APIs.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 131 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, api.telegram.org, generativelanguage.googleapis.com, github.com, ollama.com, productsdecoded.com

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
13import readline from "readline"; L14: var on = process.stdout.isTTY && !process.env.NO_COLOR; L15: var wrap = (code) => (s) => on ? `\x1B[${code}m${s}\x1B[0m` : s; ... L43: }); L44: const ask = (q) => new Promise((resolve4) => { L45: if (q) process.stdout.write(q); L46: if (buffer.length) resolve4(buffer.shift()); ... L53: // src/workspace.ts L54: var GLOBAL_DIR = join(homedir(), ".holt"); L55: var TRUST_PATH = join(GLOBAL_DIR, "trust.json"); ... L66: try { L67: return JSON.parse(readFileSync(TRUST_PATH, "utf8"));
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli.jsView on unpkg · L13
13Trigger-reachable chain: manifest.bin -> dist/cli.js L13: import readline from "readline"; L14: var on = process.stdout.isTTY && !process.env.NO_COLOR; L15: var wrap = (code) => (s) => on ? `\x1B[${code}m${s}\x1B[0m` : s; ... L43: }); L44: const ask = (q) => new Promise((resolve4) => { L45: if (q) process.stdout.write(q); L46: if (buffer.length) resolve4(buffer.shift()); ... L53: // src/workspace.ts L54: var GLOBAL_DIR = join(homedir(), ".holt"); L55: var TRUST_PATH = join(GLOBAL_DIR, "trust.json"); ... L66: try { L67: return JSON.parse(readFileSync(TRUST_PATH, "utf8"));
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L13
199// src/brains.ts L200: import { spawn, spawnSync } from "child_process"; L201: var MAX_REPLAY_TURNS = 12;
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L199
13import readline from "readline"; L14: var on = process.stdout.isTTY && !process.env.NO_COLOR; L15: var wrap = (code) => (s) => on ? `\x1B[${code}m${s}\x1B[0m` : s; ... L43: }); L44: const ask = (q) => new Promise((resolve4) => { L45: if (q) process.stdout.write(q); L46: if (buffer.length) resolve4(buffer.shift()); ... L53: // src/workspace.ts L54: var GLOBAL_DIR = join(homedir(), ".holt"); L55: var TRUST_PATH = join(GLOBAL_DIR, "trust.json"); ... L66: try { L67: return JSON.parse(readFileSync(TRUST_PATH, "utf8"));
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L13

Findings

2 Critical2 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighChild Processdist/cli.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings