AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `loxtep init --template <slug>` in a project directory.
Impact
A user-invoked project setup can direct compatible agents toward the Loxtep MCP service; no stealth, install-time mutation, or exfiltration chain was confirmed.
Mechanism
Explicit CLI writes project-local AI-agent configuration and scaffolding.
Rationale
Source inspection found no concrete malicious behavior or unconsented lifecycle mutation. The explicit agent-configuration scaffold remains a guarded capability risk, so downgrade to warn rather than block or clean.
Evidence
package.jsondist/cli/commands/init-cmd.jsdist/auth/browser-login.jsdist/http/client.jsdist/cli/commands/test-cmd.jsdist/cli/commands/deploy-cmd.jsdist/cli/project-context.jsdist/cli/credentials.jsdist/config/paths.jsdist/config/save.js
Network endpoints3
api.loxtep.ioapp.loxtep.iomcp.loxtep.io/ai/mcp/stream
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `loxtep init --template` writes project-root `AGENTS.md` containing an `mcpServers` entry for Loxtep.
- The same explicit init path writes `.loxtep/skills/<template>.yaml` with read/write workflow permissions.
- Browser login starts a localhost callback and launches a user browser via `child_process.exec`.
- `test` and `deploy` dynamically import workflow files from the user project.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` hook; only `prepublishOnly` builds before publishing.
- Agent-related files are created only by explicit `loxtep init --template`, not on install or import.
- Credential/config writes are limited to `~/.loxtep` and are invoked by login/config commands.
- HTTP requests use configured Loxtep API URLs and authenticated SDK operations; no harvesting/exfiltration path was found.
- No `eval`, VM, binary/native loader, destructive broad filesystem action, or hidden persistence was found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/cli/commands/test-cmd.jsView file
198// Use dynamic import; for .ts files this requires a loader (tsx, ts-node, etc.)
L199: const mod = await import(candidate);
L200: // The module should export a default or named `workflow` that is a DataWorkflowModule
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/cli/commands/test-cmd.jsView on unpkg · L198Findings
4 Medium5 Low
MediumDynamic Requiredist/cli/commands/test-cmd.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings