AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a user-invoked personal agent CLI with optional Telegram, scheduler, skills, memory, and LLM provider integrations.
Decision evidence
public snapshot- dist/cli.js exposes user-invoked Telegram bot/notify features that send run output or stdin text to https://api.telegram.org.
- dist/cli.js can spawn configured agent CLIs (claude/codex/gemini), install selected CLIs, clone skill repos, and install scheduler entries, all after explicit CLI commands/prompts.
- dist/cli.js can write ~/.zshrc/~/.bashrc or PATH shim for a custom launch alias and create launchd/cron jobs for scheduled tasks when requested.
- package.json has no preinstall/install/postinstall lifecycle hooks; only bin holt -> dist/cli.js.
- Network endpoints are package-aligned: Telegram integration, local Ollama, and user-selected Anthropic/OpenAI/Gemini API brains.
- Telegram setup requires a bot token and allowed chat id; handler ignores other chats and runs only when user starts holt telegram.
- Writes are documented/configuration-oriented: .holt config/memory/skills/graph, ~/.holt credentials/trust/schedules/telegram, optional alias/scheduler files.
- No hidden dynamic eval/remote payload loading found; git clone is only for explicit holt skill add source.
Source & flagged code
4 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli.jsView on unpkg · L13A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L13Source writes installer persistence such as shell profile or service configuration.
dist/cli.jsView on unpkg · L13