registry  /  @legioncodeinc/honeycomb  /  0.5.0

@legioncodeinc/honeycomb@0.5.0

Honeycomb monorepo foundation: a long-lived daemon plus thin clients for six coding harnesses, the unified honeycomb CLI, the MCP server, and the embed daemon.

AI Security Review

scanned 18h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs honeycomb setup, honeycomb connect, agent hooks, login, or daemon/embed warmup.
Impact
Can observe prompts, tool usage, and session data through installed hooks; data may be stored locally and synced to configured Honeycomb/DeepLake services.
Mechanism
explicit AI harness hook installation and local daemon memory capture
Rationale
Static inspection found no credential exfiltration, destructive behavior, remote payload execution, or unconsented install-time AI-agent control mutation. Because explicit setup wires broad AI-agent hooks that capture agent activity, warn rather than block.
Evidence
package.jsonscripts/ensure-tree-sitter.mjsscripts/ensure-embed-deps.mjsbundle/cli.jsharnesses/codex/bundle/pre-tool-use.jsembeddings/embed-daemon.js~/.claude/settings.json~/.claude/plugins/honeycomb~/.codex/hooks.json~/.codex/plugins/honeycomb~/.cursor/hooks.json~/.cursor/honeycomb~/.deeplake/credentials.json~/.honeycomb
Network endpoints5
127.0.0.1:3850127.0.0.1:3851api.deeplake.aius.i.posthog.comnomic-ai/nomic-embed-text-v1.5

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bundle/cli.js user-invoked setup/connect patches AI harness hook configs for Claude Code, Codex, and Cursor.
  • bundle/cli.js copies bundled hook handlers into ~/.claude/plugins, ~/.codex/plugins, or ~/.cursor/honeycomb paths.
  • hook bundles capture prompts/tool/session events and POST them to local daemon endpoints under http://127.0.0.1:3850/api/hooks.
  • bundle/cli.js can register a Claude marketplace plugin by spawning claude plugin commands when setup runs.
  • bundle/cli.js includes lifecycle telemetry to https://us.i.posthog.com and DeepLake auth/storage endpoints.
Evidence against
  • package.json postinstall only runs two sanity-check scripts, not hook/config mutation.
  • scripts/ensure-tree-sitter.mjs only resolves tree-sitter WASM files and exits non-fatally.
  • scripts/ensure-embed-deps.mjs only checks optional @huggingface/transformers resolution and downloads nothing.
  • AI harness mutation is explicit user command behavior via honeycomb setup/connect, not npm install-time execution.
  • Hook/config patching preserves foreign entries and uninstall removes only Honeycomb-marked entries.
  • Network endpoints are package-aligned loopback, DeepLake, HuggingFace model warmup, and documented telemetry.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 27 file(s), 10.2 MB of source, external domains: 127.0.0.1, api.deeplake.ai, get.theapiary.sh, github.com, json-schema.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, us.i.posthog.com, www.safaribooksonline.com, www.w3.org
Oversized source lightweight scan
daemon/index.js2.05 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
harnesses/claude-code/bundle/pre-tool-use.jsView file
16133// dist/src/hooks/shared/project-resolver.js L16134: import { execFileSync } from "node:child_process"; L16135: import { existsSync as existsSync7, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "node:fs";
High
Child Process

Package source references child process execution.

harnesses/claude-code/bundle/pre-tool-use.jsView on unpkg · L16133
bundle/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @legioncodeinc/honeycomb@0.4.1 matchedIdentity = npm:[redacted]:0.4.1 similarity = 0.963 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bundle/cli.jsView on unpkg
17259function [redacted](platform2 = process.platform) { L17260: const command = platform2 === "win32" ? 'powershell -c "& { $(irm https://get.theapiary.sh/install.ps1) } --products=honeycomb,doctor,hive"' : "curl -fsSL https://get.theapiary.sh ... L17261: return `Dashboard portal is not running; install it with ${command}.`;
High
Shell

Package source references shell execution.

bundle/cli.jsView on unpkg · L17259
132Cross-file remote execution chain: bundle/cli.js spawns harnesses/claude-code/bundle/pre-tool-use.js; helper contains network access plus dynamic code execution. L132: ZodArray: () => ZodArray, L133: ZodBase64: () => ZodBase64, L134: ZodBase64URL: () => ZodBase64URL, ... L1593: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1594: } : { success: true, data: result.value }; L1595: }; ... L2677: try { L2678: new URL(`http://[${payload.value}]`); L2679: } catch { ... L14662: function resolveFleetRoot(options = {}) { L14663: const env = options.env ?? process.env; L14664: const platform2 = options.platform ?? process.platform;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bundle/cli.jsView on unpkg · L132
132ZodArray: () => ZodArray, L133: ZodBase64: () => ZodBase64, L134: ZodBase64URL: () => ZodBase64URL, ... L1593: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1594: } : { success: true, data: result.value }; L1595: }; ... L2677: try { L2678: new URL(`http://[${payload.value}]`); L2679: } catch { ... L14662: function resolveFleetRoot(options = {}) { L14663: const env = options.env ?? process.env; L14664: const platform2 = options.platform ?? process.platform;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bundle/cli.jsView on unpkg · L132
embeddings/embed-daemon.jsView file
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

embeddings/embed-daemon.jsView on unpkg · L34
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Low
Eval

Package source references a known benign dynamic code generation pattern.

embeddings/embed-daemon.jsView on unpkg · L34
daemon/restart-helper.jsView file
1// dist/src/daemon/restart-helper.js L2: import { spawn } from "node:child_process"; L3: var port = Number(process.env.HONEYCOMB_RESTART_PORT ?? "3850"); L4: var entry = process.env.HONEYCOMB_RESTART_ENTRY ?? ""; ... L8: var LOCK_RELEASE_GRACE_MS = 800; L9: var healthUrl = `http://127.0.0.1:${Number.isFinite(port) && port > 0 ? port : 3850}/health`; L10: async function stillUp() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

daemon/restart-helper.jsView on unpkg · L1
assets/logos/fonts/JetBrainsMono-Regular.woff2View file
path = [redacted]-Regular.woff2 kind = high_entropy_blob sizeBytes = 92164 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/logos/fonts/JetBrainsMono-Regular.woff2View on unpkg
daemon/index.jsView file
path = daemon/index.js kind = oversized_source_file sizeBytes = 2145633 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

daemon/index.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltabundle/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processharnesses/claude-code/bundle/pre-tool-use.js
HighShellbundle/cli.js
HighSame File Env Network Executiondaemon/restart-helper.js
HighCross File Remote Execution Contextbundle/cli.js
HighShips High Entropy Blobassets/logos/fonts/JetBrainsMono-Regular.woff2
HighOversized Source Filedaemon/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireembeddings/embed-daemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebundle/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalembeddings/embed-daemon.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License