registry  /  @legioncodeinc/honeycomb  /  0.4.1

@legioncodeinc/honeycomb@0.4.1

Honeycomb monorepo foundation: a long-lived daemon plus thin clients for six coding harnesses, the unified honeycomb CLI, the MCP server, and the embed daemon.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time hijack was confirmed, but the package is an AI-agent memory platform that can register hooks and write skills/agents into Claude, Codex, and Cursor control surfaces after setup. Residual risk is platform extension lifecycle behavior rather than classic malware.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
user-invoked honeycomb setup/plugin hook activation or agent session-start hook
Impact
captures agent session content to local daemon and may install Honeycomb-supplied or daemon-synced agent skills/agents into supported harness directories
Mechanism
agent hook registration, local daemon capture, and asset auto-pull into agent skill directories
Policy narrative
If a user enables Honeycomb for an assistant, its hooks run during agent sessions, forward captured events to the local daemon, and session-start can pull Honeycomb assets into assistant skill/agent directories. The npm lifecycle hook itself only performs non-fatal dependency checks, so the risky agent-control behavior is guarded by product setup rather than automatic install execution.
Rationale
Source inspection does not show npm install-time mutation of foreign AI-agent surfaces, credential harvesting, remote exfiltration, or remote code execution. The package still has guarded agent-extension lifecycle risk because its product purpose is to wire assistant hooks and manage skills/agents across Claude, Codex, and Cursor.
Evidence
package.jsonscripts/ensure-tree-sitter.mjsscripts/ensure-embed-deps.mjsbundle/cli.jsharnesses/claude-code/hooks/hooks.jsonharnesses/codex/bundle/index.js~/.claude/settings.json~/.claude/skills~/.codex/hooks.json~/.codex/skills~/.cursor/hooks.json~/.cursor/skills
Network endpoints1
127.0.0.1:3850

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bundle/cli.js contains connector logic for ~/.claude/settings.json, ~/.codex/hooks.json, ~/.cursor/hooks.json and plugin roots under those homes
  • harnesses/codex/bundle/index.js defines Codex host CLI args including --dangerously-bypass-approvals-and-sandbox
  • harness bundles can auto-pull assets on session-start into .claude/.codex/.cursor skills or agents directories
  • hook bundles capture prompts/tool calls/assistant messages and send them to local Honeycomb daemon
Evidence against
  • package.json postinstall only runs scripts/ensure-tree-sitter.mjs and scripts/ensure-embed-deps.mjs sanity checks
  • postinstall scripts resolve optional deps/wasm files and do not write agent configs or fetch remote payloads
  • Claude hook config is shipped as a platform plugin file under harnesses/claude-code/hooks/hooks.json
  • network endpoints observed for hooks are local loopback http://127.0.0.1:3850 APIs
  • agent hook wiring appears tied to explicit CLI/plugin setup, not npm install-time mutation
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 27 file(s), 10.1 MB of source, external domains: 127.0.0.1, api.deeplake.ai, get.theapiary.sh, github.com, json-schema.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, us.i.posthog.com, www.safaribooksonline.com, www.w3.org
Oversized source lightweight scan
daemon/index.js2.05 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
harnesses/claude-code/bundle/pre-tool-use.jsView file
16056// dist/src/hooks/shared/project-resolver.js L16057: import { execFileSync } from "node:child_process"; L16058: import { existsSync as existsSync7, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "node:fs";
High
Child Process

Package source references child process execution.

harnesses/claude-code/bundle/pre-tool-use.jsView on unpkg · L16056
bundle/cli.jsView file
17848function [redacted](platform2 = process.platform) { L17849: const command = platform2 === "win32" ? 'powershell -c "& { $(irm https://get.theapiary.sh/install.ps1) } --products=honeycomb,doctor,hive"' : "curl -fsSL https://get.theapiary.sh ... L17850: return `Dashboard portal is not running; install it with ${command}.`;
High
Shell

Package source references shell execution.

bundle/cli.jsView on unpkg · L17848
94Cross-file remote execution chain: bundle/cli.js spawns harnesses/claude-code/bundle/pre-tool-use.js; helper contains network access plus dynamic code execution. L94: function createLoopbackDaemonClient(options = {}) { L95: const baseUrl = options.baseUrl ?? "http://127.0.0.1:3850"; L96: const headers = options.headers ?? {}; ... L100: async send(req) { L101: const qs = req.query !== void 0 && Object.keys(req.query).length > 0 ? `?${new URLSearchParams(req.query).toString()}` : ""; L102: const sessionHeaders = isSessionGroupPath(req.path) ? { "x-honeycomb-runtime-path": CLI_RUNTIME_PATH, "x-honeycomb-session": mintSession() } : {}; ... L109: try { L110: body = await res.json(); L111: } catch { ... L171: out(`error: prune failed (daemon ${res.status}).`); L172: return { exitCode: 1 }; L173: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bundle/cli.jsView on unpkg · L94
94function createLoopbackDaemonClient(options = {}) { L95: const baseUrl = options.baseUrl ?? "http://127.0.0.1:3850"; L96: const headers = options.headers ?? {}; ... L100: async send(req) { L101: const qs = req.query !== void 0 && Object.keys(req.query).length > 0 ? `?${new URLSearchParams(req.query).toString()}` : ""; L102: const sessionHeaders = isSessionGroupPath(req.path) ? { "x-honeycomb-runtime-path": CLI_RUNTIME_PATH, "x-honeycomb-session": mintSession() } : {}; ... L109: try { L110: body = await res.json(); L111: } catch { ... L171: out(`error: prune failed (daemon ${res.status}).`); L172: return { exitCode: 1 }; L173: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bundle/cli.jsView on unpkg · L94
embeddings/embed-daemon.jsView file
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

embeddings/embed-daemon.jsView on unpkg · L34
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Low
Eval

Package source references a known benign dynamic code generation pattern.

embeddings/embed-daemon.jsView on unpkg · L34
daemon/restart-helper.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @legioncodeinc/honeycomb@0.3.0 matchedIdentity = npm:[redacted]:0.3.0 similarity = 0.926 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

daemon/restart-helper.jsView on unpkg
1// dist/src/daemon/restart-helper.js L2: import { spawn } from "node:child_process"; L3: var port = Number(process.env.HONEYCOMB_RESTART_PORT ?? "3850"); L4: var entry = process.env.HONEYCOMB_RESTART_ENTRY ?? ""; ... L8: var LOCK_RELEASE_GRACE_MS = 800; L9: var healthUrl = `http://127.0.0.1:${Number.isFinite(port) && port > 0 ? port : 3850}/health`; L10: async function stillUp() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

daemon/restart-helper.jsView on unpkg · L1
assets/logos/fonts/JetBrainsMono-Regular.woff2View file
path = [redacted]-Regular.woff2 kind = high_entropy_blob sizeBytes = 92164 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/logos/fonts/JetBrainsMono-Regular.woff2View on unpkg
daemon/index.jsView file
path = daemon/index.js kind = oversized_source_file sizeBytes = 2145142 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

daemon/index.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadaemon/restart-helper.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processharnesses/claude-code/bundle/pre-tool-use.js
HighShellbundle/cli.js
HighSame File Env Network Executiondaemon/restart-helper.js
HighCross File Remote Execution Contextbundle/cli.js
HighShips High Entropy Blobassets/logos/fonts/JetBrainsMono-Regular.woff2
HighOversized Source Filedaemon/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireembeddings/embed-daemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebundle/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalembeddings/embed-daemon.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License