AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `lube ai connect`; subsequently configured AI-tool hook events run the internal `lube ai hook` command.
Impact
Can persist package-owned telemetry hooks across supported AI tools and transmit usage, repository attribution, and skill-use metadata under the user's configured profile.
Mechanism
User-invoked multi-agent telemetry hook installation and event upload.
Rationale
No concrete malicious or unconsented lifecycle behavior was found, but the explicit setup command installs persistent hooks across multiple AI-agent control surfaces and uploads telemetry. Treat as a user-invoked agent-capability risk.
Evidence
package.jsondist/commands/connect.jsdist/profiles.jsdist/commands/hook.jsdist/harness/skill-harvest.jsdist/api-client.jsdist/git-context.jsdist/merged-session-start.js~/.config/merged/profiles/<profile>/auth.json~/.config/merged/profiles/<profile>/env.sh~/.codex/config.toml~/.codex/hooks.json~/.claude/settings.json~/.cursor/hooks.json~/.config/opencode/plugins/merged-ai-usage.js~/.gemini/settings.json~/.pi/agent/extensions/lube-ai-usage.ts
Network endpoints4
api.lube.workapi.lube.localhostapp.lube.workapp.lube.localhost:3000
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/commands/connect.js` explicitly patches AI-tool integrations after `lube ai connect`.
- `dist/profiles.js` writes hooks/config for Codex, Claude, Cursor, OpenCode, Gemini, Copilot, and others.
- `dist/commands/hook.js` reads hook input/transcripts, queues events, and sends them with the stored token.
- `dist/harness/skill-harvest.js` emits skill-use metadata from transcripts, including supplied skill arguments.
- `dist/git-context.js` reads CI/git metadata and runs bounded `git` commands for attribution.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- All control-surface mutation is reached from explicit CLI commands, principally `lube ai connect`.
- Network client targets configured Lube API URLs and uses the profile token; no arbitrary endpoint discovery found.
- No eval, Function, remote code download, binary loading, credential-file sweep, or destructive behavior found.
- `dist/merged-session-start.js` only hashes the detected git remote for hook context and supports opt-out.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/git-context.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @lubed/cli@0.9.2
matchedIdentity = npm:QGx1YmVkL2NsaQ:0.9.2
similarity = 0.538
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/git-context.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/git-context.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License