AI Security Review
scanned 1d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed lifecycle-triggered malware or unconsented agent-control hijack was found. The package does ship agent/AI harnesses that can explicitly install hooks into Claude/Codex/Cursor-style surfaces and capture session activity into a local daemon.
Decision evidence
public snapshot- User-invoked CLI connector code patches Claude/Codex/Cursor-style hook configs and symlinks skills under home agent dirs.
- Packaged Codex shim declares `codex exec --dangerously-bypass-approvals-and-sandbox` as its host CLI invocation.
- Harness hooks capture prompts, tool calls, Bash commands, transcript usage, and send them to the local Honeycomb daemon.
- Telemetry exists to `https://us.i.posthog.com`, and login/auth uses `https://api.deeplake.ai` by default.
- `package.json` postinstall only runs dependency sanity checks, not hook installation or agent config writes.
- `scripts/ensure-tree-sitter.mjs` and `scripts/ensure-embed-deps.mjs` only resolve/check optional deps and exit non-fatally.
- Agent hook wiring is behind explicit CLI/setup/plugin install flows, with Honeycomb markers and preservation/removal of foreign entries.
- Core SDK and CLI primarily talk to loopback `http://127.0.0.1:3850`; embedding daemon binds `127.0.0.1:3851` and pins a HuggingFace model revision.
Source & flagged code
12 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
harnesses/claude-code/bundle/pre-tool-use.jsView on unpkg · L16056Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
bundle/cli.jsView on unpkg · L94Source writes installer persistence such as shell profile or service configuration.
bundle/cli.jsView on unpkg · L94Package source references dynamic require/import behavior.
embeddings/embed-daemon.jsView on unpkg · L34Package source references a known benign dynamic code generation pattern.
embeddings/embed-daemon.jsView on unpkg · L34A single source file combines environment access, network access, and code or shell execution; review context before blocking.
daemon/restart-helper.jsView on unpkg · L1Package ships high-entropy non-source blobs.
assets/logos/fonts/JetBrainsMono-Regular.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
daemon/index.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
harnesses/codex/bundle/capture.jsView on unpkg