registry  /  @legioncodeinc/honeycomb  /  0.5.7

@legioncodeinc/honeycomb@0.5.7

Honeycomb monorepo foundation: a long-lived daemon plus thin clients for six coding harnesses, the unified honeycomb CLI, the MCP server, and the embed daemon.

AI Security Review

scanned 13h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a first-party Honeycomb agent integration that can wire AI assistant hooks and install skill/agent artifacts when users run its CLI or daemon workflows. The npm postinstall path itself is dependency sanity checking only and does not mutate agent control surfaces.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs honeycomb setup/install/hook or starts Honeycomb daemon/hooks; npm install triggers only dependency checks.
Impact
Agent conversations/tool events may be captured into the local Honeycomb daemon and configured assistants may receive Honeycomb context; no unconsented install-time hijack found.
Mechanism
Explicit agent hook wiring plus local hook event capture to Honeycomb daemon
Rationale
Static source inspection supports a guarded agent-extension lifecycle risk rather than malware: the flagged lifecycle postinstall scripts are benign dependency checks, while the risky AI-agent wiring is first-party and user-invoked. No concrete malicious chain or unconsented postinstall control-surface mutation was found.
Evidence
package.jsonscripts/ensure-tree-sitter.mjsscripts/ensure-embed-deps.mjsbundle/cli.jsharnesses/codex/bundle/capture.jsharnesses/claude-code/bundle/pre-tool-use.jsembeddings/embed-daemon.js~/.codex/skills~/.codex/agents~/.claude/skills~/.claude/agents~/.cursor/skills~/.cursor/agents~/.hermes/skills~/.hermes/agents~/.pi/agent/skills~/.pi/agent/agents~/.openclaw/skills~/.openclaw/agents~/.apiary/honeycomb~/.honeycomb
Network endpoints6
127.0.0.1:3850/api/hooks127.0.0.1:3850/api/memories/prime127.0.0.1:3850/api/diagnostics/notificationsapi.deeplake.aius.i.posthog.comget.theapiary.sh

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bundle/cli.js defines user commands setup/install/hook that wire assistant hooks and skills/agents.
  • bundle/cli.js connector code writes harness config for .codex/.claude/.cursor/.hermes/.pi/.openclaw skills/agents.
  • harnesses/codex/bundle/capture.js captures agent events and posts to local daemon /api/hooks.
  • harnesses/codex/bundle/capture.js CODEX_HOST_CLI includes codex exec --dangerously-bypass-approvals-and-sandbox for agent spawning.
Evidence against
  • package.json postinstall only runs scripts/ensure-tree-sitter.mjs and scripts/ensure-embed-deps.mjs.
  • scripts/ensure-tree-sitter.mjs only resolve/checks WASM parser dependencies and exits non-fatally.
  • scripts/ensure-embed-deps.mjs only checks optional @huggingface/transformers presence and does not download or import it.
  • Agent config mutation appears tied to explicit CLI setup/install/hook or daemon lifecycle, not npm postinstall.
  • Hook network calls target local daemon 127.0.0.1:3850; SDK/cloud endpoints are product-aligned.
  • No credential exfiltration, remote payload execution, destructive install behavior, or hidden persistence confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 27 file(s), 10.2 MB of source, external domains: 127.0.0.1, api.deeplake.ai, get.theapiary.sh, github.com, json-schema.org, raw.githubusercontent.com, schemas.microsoft.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, us.i.posthog.com, www.safaribooksonline.com, www.w3.org
Oversized source lightweight scan
daemon/index.js2.06 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/ensure-tree-sitter.mjs && node scripts/ensure-embed-deps.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
harnesses/claude-code/bundle/pre-tool-use.jsView file
16133// dist/src/hooks/shared/project-resolver.js L16134: import { execFileSync } from "node:child_process"; L16135: import { existsSync as existsSync7, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync7 } from "node:fs";
High
Child Process

Package source references child process execution.

harnesses/claude-code/bundle/pre-tool-use.jsView on unpkg · L16133
bundle/cli.jsView file
17302function [redacted](platform2 = process.platform) { L17303: const command = platform2 === "win32" ? 'powershell -c "& { $(irm https://get.theapiary.sh/install.ps1) } --products=honeycomb,doctor,hive"' : "curl -fsSL https://get.theapiary.sh ... L17304: return `Dashboard portal is not running; install it with ${command}.`;
High
Shell

Package source references shell execution.

bundle/cli.jsView on unpkg · L17302
132Cross-file remote execution chain: bundle/cli.js spawns harnesses/claude-code/bundle/pre-tool-use.js; helper contains network access plus dynamic code execution. L132: ZodArray: () => ZodArray, L133: ZodBase64: () => ZodBase64, L134: ZodBase64URL: () => ZodBase64URL, ... L1593: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1594: } : { success: true, data: result.value }; L1595: }; ... L2677: try { L2678: new URL(`http://[${payload.value}]`); L2679: } catch { ... L14662: function resolveFleetRoot(options = {}) { L14663: const env = options.env ?? process.env; L14664: const platform2 = options.platform ?? process.platform;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bundle/cli.jsView on unpkg · L132
132ZodArray: () => ZodArray, L133: ZodBase64: () => ZodBase64, L134: ZodBase64URL: () => ZodBase64URL, ... L1593: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1594: } : { success: true, data: result.value }; L1595: }; ... L2677: try { L2678: new URL(`http://[${payload.value}]`); L2679: } catch { ... L14662: function resolveFleetRoot(options = {}) { L14663: const env = options.env ?? process.env; L14664: const platform2 = options.platform ?? process.platform;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bundle/cli.jsView on unpkg · L132
embeddings/embed-daemon.jsView file
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

embeddings/embed-daemon.jsView on unpkg · L34
34const moduleSpecifier = "@huggingface/transformers"; L35: const dynamicImport = new Function("m", "return import(m);"); L36: return await dynamicImport(moduleSpecifier);
Low
Eval

Package source references a known benign dynamic code generation pattern.

embeddings/embed-daemon.jsView on unpkg · L34
daemon/restart-helper.jsView file
1// dist/src/daemon/restart-helper.js L2: import { spawn } from "node:child_process"; L3: var port = Number(process.env.HONEYCOMB_RESTART_PORT ?? "3850"); L4: var entry = process.env.HONEYCOMB_RESTART_ENTRY ?? ""; ... L8: var LOCK_RELEASE_GRACE_MS = 800; L9: var healthUrl = `http://127.0.0.1:${Number.isFinite(port) && port > 0 ? port : 3850}/health`; L10: async function stillUp() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

daemon/restart-helper.jsView on unpkg · L1
assets/logos/fonts/JetBrainsMono-Regular.woff2View file
path = [redacted]-Regular.woff2 kind = high_entropy_blob sizeBytes = 92164 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/logos/fonts/JetBrainsMono-Regular.woff2View on unpkg
daemon/index.jsView file
path = daemon/index.js kind = oversized_source_file sizeBytes = 2160294 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

daemon/index.jsView on unpkg
harnesses/codex/bundle/capture.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @legioncodeinc/honeycomb@0.5.6 matchedIdentity = npm:[redacted]:0.5.6 similarity = 0.481 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

harnesses/codex/bundle/capture.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltaharnesses/codex/bundle/capture.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processharnesses/claude-code/bundle/pre-tool-use.js
HighShellbundle/cli.js
HighSame File Env Network Executiondaemon/restart-helper.js
HighCross File Remote Execution Contextbundle/cli.js
HighShips High Entropy Blobassets/logos/fonts/JetBrainsMono-Regular.woff2
HighOversized Source Filedaemon/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireembeddings/embed-daemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebundle/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalembeddings/embed-daemon.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License