AI Security Review
scanned 4d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time or hidden exfiltration behavior was found. The real risk is an explicit, package-owned Claude Code hook integration that mutates an AI-agent control surface and later injects/captures memory in trusted Holt workspaces.
Decision evidence
public snapshot- dist/cli.js implements explicit `holt hook install` that writes Claude Code hooks into `~/.claude/settings.json` or `./.claude/settings.json`.
- Installed hooks run `holt hook inject` on `UserPromptSubmit` and `holt hook capture` on `Stop`, affecting Claude Code context/memory.
- Hook capture reads Claude transcript path from hook input and can run the configured brain to distill facts into `.holt/memory`.
- `holt telegram` can send `runTask` output to Telegram after user setup with bot token and allowed chat id.
- package.json has no preinstall/install/postinstall lifecycle scripts.
- CLI dispatch requires explicit user commands; no import-time hidden execution beyond `main()` command routing.
- Hook runtime is guarded by trusted workspace and existing `.holt/memory`.
- Telegram is opt-in setup, restricted to configured `allowedChatId`, and uses the user's bot token.
- External AI/API endpoints are package-aligned configurable brain providers or local Ollama.
Source & flagged code
5 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli.jsView on unpkg · L5320A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L5320A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L2798Source writes installer persistence such as shell profile or service configuration.
dist/cli.jsView on unpkg · L13