AI Security Review
scanned 6d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/cli.js exposes user-invoked Telegram bot that long-polls api.telegram.org and passes messages from allowedChatId into runTask.
- dist/cli.js runTask can spawn configured agent CLIs (claude/codex/gemini) or call LLM APIs with recalled local memory.
- dist/cli.js schedule add writes launchd plist or crontab entries for recurring holt run tasks after interactive trust.
- dist/cli.js mcp auto-trusts launch folder because MCP is non-interactive, but only when user runs holt mcp.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin entrypoint is dist/cli.js; behavior is activated by explicit holt subcommands, not import/install time.
- Telegram setup requires user-pasted bot token and stores an allowed chat id before bot operation.
- Shell alias, scheduler, MCP, and skills are documented in README.md and gated by user commands or trust prompts.
- No evidence of credential harvesting beyond user-configured API keys stored for package use.
- Network endpoints are package-aligned LLM, Telegram, and local Ollama APIs.
Source & flagged code
4 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli.jsView on unpkg · L13A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L13Source writes installer persistence such as shell profile or service configuration.
dist/cli.jsView on unpkg · L13