registry  /  @legioncodeinc/honeycomb  /  0.5.4

@legioncodeinc/honeycomb@0.5.4

Honeycomb monorepo foundation: a long-lived daemon plus thin clients for six coding harnesses, the unified honeycomb CLI, the MCP server, and the embed daemon.

AI Security Review

scanned 18h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package provides an explicit AI-agent memory integration that can wire first-party hooks into user assistant configs and capture session/tool events to a local Honeycomb daemon.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs honeycomb setup, honeycomb connect, honeycomb hook wire, install/login, daemon, or configured harness hooks
Impact
Warn-level lifecycle risk: explicit setup can add command hooks to AI assistant configs and capture agent context, but source inspection did not show unconsented install-time mutation or exfiltration.
Mechanism
first-party agent hook wiring and local memory/telemetry client
Rationale
Source inspection supports a warn, not block: npm postinstall is benign, while explicit setup can install first-party AI-agent hooks and telemetry-capable memory capture. There is no evidence of unconsented install-time mutation of broad agent control surfaces or concrete malicious exfiltration.
Evidence
package.jsonscripts/ensure-tree-sitter.mjsscripts/ensure-embed-deps.mjsbundle/cli.jsharnesses/claude-code/hooks/hooks.jsonharnesses/claude-code/bundle/pre-tool-use.jsharnesses/codex/bundle/pre-tool-use.jsembeddings/embed-daemon.jssdk/index.js~/.claude/settings.json~/.claude/plugins/honeycomb~/.claude/skills~/.codex/hooks.json~/.codex/plugins/honeycomb~/.codex/skills~/.cursor/hooks.json~/.honeycomb$APIARY_HOME
Network endpoints6
127.0.0.1:3850127.0.0.1:3851127.0.0.1:3853api.deeplake.aius.i.posthog.comget.theapiary.sh

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bundle/cli.js explicit setup/connect wires hooks into ~/.claude/settings.json, ~/.codex/hooks.json, ~/.cursor/hooks.json and skill dirs
  • bundle/cli.js Claude connector runs claude plugin marketplace/install/enable and migrates old hivemind plugin
  • harnesses/claude-code/hooks/hooks.json registers command hooks that run bundled node handlers on session/tool events
  • hook bundles capture prompts/tool events and POST to local daemon /api/hooks
  • bundle/cli.js includes telemetry emit path to https://us.i.posthog.com after install/update events
Evidence against
  • package.json postinstall only runs scripts/ensure-tree-sitter.mjs and scripts/ensure-embed-deps.mjs
  • postinstall scripts resolve optional deps and exit; no downloads, shelling, agent config writes, or network calls observed
  • agent hook wiring is behind explicit honeycomb setup/connect/hook wire commands, not npm install/import
  • network use is mostly loopback daemon/embed services plus documented DeepLake/auth/telemetry product endpoints
  • SDK only sends bearer token over HTTPS or loopback HTTP
  • no credential harvesting, remote payload execution, destructive behavior, or hidden persistence found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 27 file(s), 10.2 MB of source, external domains: 127.0.0.1, api.deeplake.ai, get.theapiary.sh, github.com, json-schema.org, raw.githubusercontent.com, schemas.microsoft.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, us.i.posthog.com, www.safaribooksonline.com, www.w3.org
Oversized source lightweight scan
daemon/index.js2.05 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
harnesses/claude-code/bundle/pre-tool-use.jsView file
16133// dist/src/hooks/shared/project-resolver.js L16134: import { execFileSync } from "node:child_process"; L16135: import { existsSync as existsSync7, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "node:fs";
High
Child Process

Package source references child process execution.

harnesses/claude-code/bundle/pre-tool-use.jsView on unpkg · L16133
bundle/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @legioncodeinc/honeycomb@0.4.1 matchedIdentity = npm:[redacted]:0.4.1 similarity = 0.963 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bundle/cli.jsView on unpkg
17259function [redacted](platform2 = process.platform) { L17260: const command = platform2 === "win32" ? 'powershell -c "& { $(irm https://get.theapiary.sh/install.ps1) } --products=honeycomb,doctor,hive"' : "curl -fsSL https://get.theapiary.sh ... L17261: return `Dashboard portal is not running; install it with ${command}.`;
High
Shell

Package source references shell execution.

bundle/cli.jsView on unpkg · L17259
132Cross-file remote execution chain: bundle/cli.js spawns harnesses/claude-code/bundle/pre-tool-use.js; helper contains network access plus dynamic code execution. L132: ZodArray: () => ZodArray, L133: ZodBase64: () => ZodBase64, L134: ZodBase64URL: () => ZodBase64URL, ... L1593: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1594: } : { success: true, data: result.value }; L1595: }; ... L2677: try { L2678: new URL(`http://[${payload.value}]`); L2679: } catch { ... L14662: function resolveFleetRoot(options = {}) { L14663: const env = options.env ?? process.env; L14664: const platform2 = options.platform ?? process.platform;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bundle/cli.jsView on unpkg · L132
132ZodArray: () => ZodArray, L133: ZodBase64: () => ZodBase64, L134: ZodBase64URL: () => ZodBase64URL, ... L1593: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1594: } : { success: true, data: result.value }; L1595: }; ... L2677: try { L2678: new URL(`http://[${payload.value}]`); L2679: } catch { ... L14662: function resolveFleetRoot(options = {}) { L14663: const env = options.env ?? process.env; L14664: const platform2 = options.platform ?? process.platform;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bundle/cli.jsView on unpkg · L132
embeddings/embed-daemon.jsView file
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

embeddings/embed-daemon.jsView on unpkg · L34
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Low
Eval

Package source references a known benign dynamic code generation pattern.

embeddings/embed-daemon.jsView on unpkg · L34
daemon/restart-helper.jsView file
1// dist/src/daemon/restart-helper.js L2: import { spawn } from "node:child_process"; L3: var port = Number(process.env.HONEYCOMB_RESTART_PORT ?? "3850"); L4: var entry = process.env.HONEYCOMB_RESTART_ENTRY ?? ""; ... L8: var LOCK_RELEASE_GRACE_MS = 800; L9: var healthUrl = `http://127.0.0.1:${Number.isFinite(port) && port > 0 ? port : 3850}/health`; L10: async function stillUp() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

daemon/restart-helper.jsView on unpkg · L1
assets/logos/fonts/JetBrainsMono-Regular.woff2View file
path = [redacted]-Regular.woff2 kind = high_entropy_blob sizeBytes = 92164 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/logos/fonts/JetBrainsMono-Regular.woff2View on unpkg
daemon/index.jsView file
path = daemon/index.js kind = oversized_source_file sizeBytes = 2146982 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

daemon/index.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltabundle/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processharnesses/claude-code/bundle/pre-tool-use.js
HighShellbundle/cli.js
HighSame File Env Network Executiondaemon/restart-helper.js
HighCross File Remote Execution Contextbundle/cli.js
HighShips High Entropy Blobassets/logos/fonts/JetBrainsMono-Regular.woff2
HighOversized Source Filedaemon/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireembeddings/embed-daemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebundle/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalembeddings/embed-daemon.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License