registry  /  @lubed/cli  /  0.10.0

@lubed/cli@0.10.0

Lube CLI — connect Claude Code, Codex, and other AI tools to your Lube AI usage dashboard.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `lube ai connect`; subsequently configured AI-tool hook events run the internal `lube ai hook` command.
Impact
Can persist package-owned telemetry hooks across supported AI tools and transmit usage, repository attribution, and skill-use metadata under the user's configured profile.
Mechanism
User-invoked multi-agent telemetry hook installation and event upload.
Rationale
No concrete malicious or unconsented lifecycle behavior was found, but the explicit setup command installs persistent hooks across multiple AI-agent control surfaces and uploads telemetry. Treat as a user-invoked agent-capability risk.
Evidence
package.jsondist/commands/connect.jsdist/profiles.jsdist/commands/hook.jsdist/harness/skill-harvest.jsdist/api-client.jsdist/git-context.jsdist/merged-session-start.js~/.config/merged/profiles/<profile>/auth.json~/.config/merged/profiles/<profile>/env.sh~/.codex/config.toml~/.codex/hooks.json~/.claude/settings.json~/.cursor/hooks.json~/.config/opencode/plugins/merged-ai-usage.js~/.gemini/settings.json~/.pi/agent/extensions/lube-ai-usage.ts
Network endpoints4
api.lube.workapi.lube.localhostapp.lube.workapp.lube.localhost:3000

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/connect.js` explicitly patches AI-tool integrations after `lube ai connect`.
  • `dist/profiles.js` writes hooks/config for Codex, Claude, Cursor, OpenCode, Gemini, Copilot, and others.
  • `dist/commands/hook.js` reads hook input/transcripts, queues events, and sends them with the stored token.
  • `dist/harness/skill-harvest.js` emits skill-use metadata from transcripts, including supplied skill arguments.
  • `dist/git-context.js` reads CI/git metadata and runs bounded `git` commands for attribution.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • All control-surface mutation is reached from explicit CLI commands, principally `lube ai connect`.
  • Network client targets configured Lube API URLs and uses the profile token; no arbitrary endpoint discovery found.
  • No eval, Function, remote code download, binary loading, credential-file sweep, or destructive behavior found.
  • `dist/merged-session-start.js` only hashes the detected git remote for hook context and supports opt-out.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 29 file(s), 348 KB of source, external domains: api.lube.localhost, api.lube.work, app.lube.localhost, app.lube.work, docs.cline.bot, docs.openhands.dev, kiro.dev, lube.work, www.apple.com

Source & flagged code

1 flagged · loading source
dist/git-context.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lubed/cli@0.9.2 matchedIdentity = npm:QGx1YmVkL2NsaQ:0.9.2 similarity = 0.538 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/git-context.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/git-context.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License