AI Security Review
scanned 5d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/cli.js exposes user-invoked Telegram bot that long-polls api.telegram.org and runs allowed chat messages through runTask.
- dist/cli.js schedule add writes launchd plist or crontab entries for recurring holt run tasks after an interactive trust prompt.
- dist/cli.js can install a shell alias/shim for holt chat via setting/init when user selects a launch command.
- dist/cli.js mcp command auto-trusts the launch folder and exposes memory/skill tools over stdio.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- All high-risk paths are CLI subcommands, not install-time or import-time execution.
- Telegram setup requires pasted bot token and allowed chat id; messages from other chat ids are ignored.
- Network endpoints are product-aligned: local Ollama, configured LLM APIs, and Telegram when explicitly configured.
- No evidence of credential harvesting or package-author exfiltration; stored keys are used for selected providers.
- MCP setup only prints client config and does not rewrite foreign agent config files.
Source & flagged code
4 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli.jsView on unpkg · L13A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L13Source writes installer persistence such as shell profile or service configuration.
dist/cli.jsView on unpkg · L13