registry  /  @legioncodeinc/honeycomb  /  0.5.3

@legioncodeinc/honeycomb@0.5.3

Honeycomb monorepo foundation: a long-lived daemon plus thin clients for six coding harnesses, the unified honeycomb CLI, the MCP server, and the embed daemon.

AI Security Review

scanned 18h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The meaningful risk is explicit user-command setup of first-party AI assistant hooks and plugin registration for Honeycomb memory capture/recall.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `honeycomb setup`, `honeycomb connect <harness>`, or assistant host invokes installed Honeycomb hooks
Impact
Captures assistant session/tool events for local memory features; not activated by npm postinstall and no exfiltration chain confirmed
Mechanism
first-party assistant hook/plugin lifecycle wiring to local Honeycomb daemon
Rationale
Static source inspection found explicit assistant hook/plugin wiring and runtime network features, but the npm postinstall scripts do not mutate AI-agent control surfaces or run remote payloads. Because the extension lifecycle risk is real but user-invoked and package-aligned, warn rather than block.
Evidence
package.jsonscripts/ensure-tree-sitter.mjsscripts/ensure-embed-deps.mjsbundle/cli.jsharnesses/claude-code/hooks/hooks.jsonembeddings/embed-daemon.jssdk/index.js~/.claude/settings.json~/.claude/plugins/honeycomb/bundle/*~/.claude/skills/*~/.codex/hooks.json~/.codex/plugins/honeycomb/bundle/*~/.cursor/hooks.json~/.cursor/honeycomb/*~/.apiary/honeycomb/*~/.deeplake/credentials.json
Network endpoints5
127.0.0.1:3850127.0.0.1:3851api.deeplake.aius.i.posthog.comget.theapiary.sh

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bundle/cli.js explicit setup/connect can wire Claude/Codex/Cursor hooks under user assistant config dirs
  • bundle/cli.js Claude connector can run `claude plugin marketplace add/install/enable honeycomb`
  • harnesses/claude-code/hooks/hooks.json defines hook commands that execute bundled Honeycomb handlers
  • embeddings/embed-daemon.js lazily downloads/loads HuggingFace model via @huggingface/transformers at runtime
Evidence against
  • package.json postinstall only runs local dependency presence checks
  • scripts/ensure-tree-sitter.mjs checks installed WASM grammar files and exits non-fatally
  • scripts/ensure-embed-deps.mjs only require.resolve checks optional dependency; no import/download
  • Assistant hook/config mutation is under explicit CLI setup/connect/uninstall paths, not npm install-time
  • SDK and hook bundles target local daemon endpoints and package-aligned APIs; no credential harvesting found
  • Config uninstall paths filter/remove Honeycomb-owned entries while preserving foreign hooks
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 27 file(s), 10.2 MB of source, external domains: 127.0.0.1, api.deeplake.ai, get.theapiary.sh, github.com, json-schema.org, raw.githubusercontent.com, schemas.microsoft.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, us.i.posthog.com, www.safaribooksonline.com, www.w3.org
Oversized source lightweight scan
daemon/index.js2.05 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
harnesses/claude-code/bundle/pre-tool-use.jsView file
16133// dist/src/hooks/shared/project-resolver.js L16134: import { execFileSync } from "node:child_process"; L16135: import { existsSync as existsSync7, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "node:fs";
High
Child Process

Package source references child process execution.

harnesses/claude-code/bundle/pre-tool-use.jsView on unpkg · L16133
bundle/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @legioncodeinc/honeycomb@0.4.1 matchedIdentity = npm:[redacted]:0.4.1 similarity = 0.963 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bundle/cli.jsView on unpkg
17259function [redacted](platform2 = process.platform) { L17260: const command = platform2 === "win32" ? 'powershell -c "& { $(irm https://get.theapiary.sh/install.ps1) } --products=honeycomb,doctor,hive"' : "curl -fsSL https://get.theapiary.sh ... L17261: return `Dashboard portal is not running; install it with ${command}.`;
High
Shell

Package source references shell execution.

bundle/cli.jsView on unpkg · L17259
132Cross-file remote execution chain: bundle/cli.js spawns harnesses/claude-code/bundle/pre-tool-use.js; helper contains network access plus dynamic code execution. L132: ZodArray: () => ZodArray, L133: ZodBase64: () => ZodBase64, L134: ZodBase64URL: () => ZodBase64URL, ... L1593: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1594: } : { success: true, data: result.value }; L1595: }; ... L2677: try { L2678: new URL(`http://[${payload.value}]`); L2679: } catch { ... L14662: function resolveFleetRoot(options = {}) { L14663: const env = options.env ?? process.env; L14664: const platform2 = options.platform ?? process.platform;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bundle/cli.jsView on unpkg · L132
132ZodArray: () => ZodArray, L133: ZodBase64: () => ZodBase64, L134: ZodBase64URL: () => ZodBase64URL, ... L1593: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1594: } : { success: true, data: result.value }; L1595: }; ... L2677: try { L2678: new URL(`http://[${payload.value}]`); L2679: } catch { ... L14662: function resolveFleetRoot(options = {}) { L14663: const env = options.env ?? process.env; L14664: const platform2 = options.platform ?? process.platform;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bundle/cli.jsView on unpkg · L132
embeddings/embed-daemon.jsView file
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

embeddings/embed-daemon.jsView on unpkg · L34
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Low
Eval

Package source references a known benign dynamic code generation pattern.

embeddings/embed-daemon.jsView on unpkg · L34
daemon/restart-helper.jsView file
1// dist/src/daemon/restart-helper.js L2: import { spawn } from "node:child_process"; L3: var port = Number(process.env.HONEYCOMB_RESTART_PORT ?? "3850"); L4: var entry = process.env.HONEYCOMB_RESTART_ENTRY ?? ""; ... L8: var LOCK_RELEASE_GRACE_MS = 800; L9: var healthUrl = `http://127.0.0.1:${Number.isFinite(port) && port > 0 ? port : 3850}/health`; L10: async function stillUp() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

daemon/restart-helper.jsView on unpkg · L1
assets/logos/fonts/JetBrainsMono-Regular.woff2View file
path = [redacted]-Regular.woff2 kind = high_entropy_blob sizeBytes = 92164 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/logos/fonts/JetBrainsMono-Regular.woff2View on unpkg
daemon/index.jsView file
path = daemon/index.js kind = oversized_source_file sizeBytes = 2145633 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

daemon/index.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltabundle/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processharnesses/claude-code/bundle/pre-tool-use.js
HighShellbundle/cli.js
HighSame File Env Network Executiondaemon/restart-helper.js
HighCross File Remote Execution Contextbundle/cli.js
HighShips High Entropy Blobassets/logos/fonts/JetBrainsMono-Regular.woff2
HighOversized Source Filedaemon/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireembeddings/embed-daemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebundle/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalembeddings/embed-daemon.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License