registry  /  @legioncodeinc/honeycomb  /  0.3.0

@legioncodeinc/honeycomb@0.3.0

Honeycomb monorepo foundation: a long-lived daemon plus thin clients for six coding harnesses, the unified honeycomb CLI, the MCP server, and the embed daemon.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed lifecycle-triggered malware or unconsented agent-control hijack was found. The package does ship agent/AI harnesses that can explicitly install hooks into Claude/Codex/Cursor-style surfaces and capture session activity into a local daemon.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit `honeycomb setup/install/hook` or platform plugin installation; npm install only runs sanity checks.
Impact
When enabled by the user, prompts/tool events and local memory data are stored locally and may sync/authenticate with package-aligned services.
Mechanism
guarded agent extension hook wiring and local memory daemon capture
Policy narrative
Install time does not plant hooks. If a user explicitly runs the setup/plugin paths, the CLI writes Honeycomb-owned handlers and skill links into supported agent harness directories, captures harness events, and forwards them to the loopback daemon; auth, optional sync, and telemetry use declared product endpoints.
Rationale
Source inspection shows risky agent-extension capabilities and prompt/tool capture, but the dangerous writes are user-invoked/platform-owned rather than lifecycle-triggered, and postinstall performs only local dependency checks. This fits guarded agent extension lifecycle risk rather than malicious package behavior.
Evidence
package.jsonscripts/ensure-tree-sitter.mjsscripts/ensure-embed-deps.mjsbundle/cli.jsharnesses/codex/bundle/capture.jsharnesses/claude-code/hooks/hooks.jsonembeddings/embed-daemon.js~/.claude/plugins/honeycomb~/.claude/skills~/.codex/skills~/.cursor/skills~/.honeycomb/embed-models
Network endpoints4
127.0.0.1:3850127.0.0.1:3851api.deeplake.aius.i.posthog.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • User-invoked CLI connector code patches Claude/Codex/Cursor-style hook configs and symlinks skills under home agent dirs.
  • Packaged Codex shim declares `codex exec --dangerously-bypass-approvals-and-sandbox` as its host CLI invocation.
  • Harness hooks capture prompts, tool calls, Bash commands, transcript usage, and send them to the local Honeycomb daemon.
  • Telemetry exists to `https://us.i.posthog.com`, and login/auth uses `https://api.deeplake.ai` by default.
Evidence against
  • `package.json` postinstall only runs dependency sanity checks, not hook installation or agent config writes.
  • `scripts/ensure-tree-sitter.mjs` and `scripts/ensure-embed-deps.mjs` only resolve/check optional deps and exit non-fatally.
  • Agent hook wiring is behind explicit CLI/setup/plugin install flows, with Honeycomb markers and preservation/removal of foreign entries.
  • Core SDK and CLI primarily talk to loopback `http://127.0.0.1:3850`; embedding daemon binds `127.0.0.1:3851` and pins a HuggingFace model revision.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 27 file(s), 10.1 MB of source, external domains: 127.0.0.1, api.deeplake.ai, get.theapiary.sh, github.com, json-schema.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, us.i.posthog.com, www.safaribooksonline.com, www.w3.org
Oversized source lightweight scan
daemon/index.js2.02 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
harnesses/claude-code/bundle/pre-tool-use.jsView file
16056// dist/src/hooks/shared/project-resolver.js L16057: import { execFileSync } from "node:child_process"; L16058: import { existsSync as existsSync7, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "node:fs";
High
Child Process

Package source references child process execution.

harnesses/claude-code/bundle/pre-tool-use.jsView on unpkg · L16056
bundle/cli.jsView file
17848function [redacted](platform2 = process.platform) { L17849: const command = platform2 === "win32" ? 'powershell -c "& { $(irm https://get.theapiary.sh/install.ps1) } --products=honeycomb,doctor,hive"' : "curl -fsSL https://get.theapiary.sh ... L17850: return `Dashboard portal is not running; install it with ${command}.`;
High
Shell

Package source references shell execution.

bundle/cli.jsView on unpkg · L17848
94Cross-file remote execution chain: bundle/cli.js spawns harnesses/claude-code/bundle/pre-tool-use.js; helper contains network access plus dynamic code execution. L94: function createLoopbackDaemonClient(options = {}) { L95: const baseUrl = options.baseUrl ?? "http://127.0.0.1:3850"; L96: const headers = options.headers ?? {}; ... L100: async send(req) { L101: const qs = req.query !== void 0 && Object.keys(req.query).length > 0 ? `?${new URLSearchParams(req.query).toString()}` : ""; L102: const sessionHeaders = isSessionGroupPath(req.path) ? { "x-honeycomb-runtime-path": CLI_RUNTIME_PATH, "x-honeycomb-session": mintSession() } : {}; ... L109: try { L110: body = await res.json(); L111: } catch { ... L171: out(`error: prune failed (daemon ${res.status}).`); L172: return { exitCode: 1 }; L173: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bundle/cli.jsView on unpkg · L94
94function createLoopbackDaemonClient(options = {}) { L95: const baseUrl = options.baseUrl ?? "http://127.0.0.1:3850"; L96: const headers = options.headers ?? {}; ... L100: async send(req) { L101: const qs = req.query !== void 0 && Object.keys(req.query).length > 0 ? `?${new URLSearchParams(req.query).toString()}` : ""; L102: const sessionHeaders = isSessionGroupPath(req.path) ? { "x-honeycomb-runtime-path": CLI_RUNTIME_PATH, "x-honeycomb-session": mintSession() } : {}; ... L109: try { L110: body = await res.json(); L111: } catch { ... L171: out(`error: prune failed (daemon ${res.status}).`); L172: return { exitCode: 1 }; L173: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bundle/cli.jsView on unpkg · L94
embeddings/embed-daemon.jsView file
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

embeddings/embed-daemon.jsView on unpkg · L34
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Low
Eval

Package source references a known benign dynamic code generation pattern.

embeddings/embed-daemon.jsView on unpkg · L34
daemon/restart-helper.jsView file
1// dist/src/daemon/restart-helper.js L2: import { spawn } from "node:child_process"; L3: var port = Number(process.env.HONEYCOMB_RESTART_PORT ?? "3850"); L4: var entry = process.env.HONEYCOMB_RESTART_ENTRY ?? ""; ... L8: var LOCK_RELEASE_GRACE_MS = 800; L9: var healthUrl = `http://127.0.0.1:${Number.isFinite(port) && port > 0 ? port : 3850}/health`; L10: async function stillUp() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

daemon/restart-helper.jsView on unpkg · L1
assets/logos/fonts/JetBrainsMono-Regular.woff2View file
path = [redacted]-Regular.woff2 kind = high_entropy_blob sizeBytes = 92164 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/logos/fonts/JetBrainsMono-Regular.woff2View on unpkg
daemon/index.jsView file
path = daemon/index.js kind = oversized_source_file sizeBytes = 2123201 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

daemon/index.jsView on unpkg
harnesses/codex/bundle/capture.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @legioncodeinc/honeycomb@0.2.0 matchedIdentity = npm:[redacted]:0.2.0 similarity = 0.481 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

harnesses/codex/bundle/capture.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltaharnesses/codex/bundle/capture.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processharnesses/claude-code/bundle/pre-tool-use.js
HighShellbundle/cli.js
HighSame File Env Network Executiondaemon/restart-helper.js
HighCross File Remote Execution Contextbundle/cli.js
HighShips High Entropy Blobassets/logos/fonts/JetBrainsMono-Regular.woff2
HighOversized Source Filedaemon/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireembeddings/embed-daemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebundle/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalembeddings/embed-daemon.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License