AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The CLI is an explicit local AI-session orchestrator. It can modify selected project agent instructions, inject messages into tmux panes, and launch Codex without its sandbox. No install-time foreign control-surface mutation or covert exfiltration was found.
Static reason
No blocking static signals were detected.
Trigger
User runs `loomo add`, `loomo adopt`, `loomo hub`, `loomo up`, or opens the no-argument dashboard.
Impact
A user who configures untrusted projects or tmux sessions can grant coordinated agents broad local execution and pane-input control.
Mechanism
User-invoked agent configuration, tmux pane injection, and unsandboxed Codex launch.
Rationale
No concrete malicious payload, stealth persistence, or third-party credential exfiltration was found. Warn because the explicit product workflow modifies agent control files and disables Codex sandboxing for launched sessions.
Evidence
package.jsonbin/telllib/workspace.shlib/home.shtemplates/CLAUDE-section-role.en.mdtemplates/CLAUDE-section-hub.en.md$HOME/.claude/.credentials.json<user-selected-project>/AGENTS.md<user-selected-project>/CLAUDE.md$HOME/.config/loomo/workspaces.conf
Network endpoints1
api.anthropic.com/api/oauth/usage
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/tell` launches Codex with `--sandbox danger-full-access`.
- `lib/workspace.sh` appends collaboration instructions to selected project `AGENTS.md`/`CLAUDE.md` files.
- `bin/tell` injects supplied messages into tmux AI panes via `tmux send-keys`.
- `lib/home.sh` reads Claude OAuth credentials and sends them to Anthropic's usage endpoint when the dashboard opens.
Evidence against
- `package.json` has no preinstall, install, postinstall, or import-time hook.
- The credential-bearing request targets only `https://api.anthropic.com/api/oauth/usage`; no third-party exfiltration endpoint was found.
- Agent setup, dependency installation, and project-file writes occur through documented user commands.
- Templates disclose the tmux injection boundary and prohibit sending secrets.
Behavioral surface
Source & flagged code
1 flagged · loading sourcelib/common.shView file
•path = lib/common.sh
kind = build_helper
sizeBytes = 1029
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
lib/common.shView on unpkgFindings
1 Medium1 Low
MediumShips Build Helperlib/common.sh
LowScripts Present