AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs legion-setup, legion-codex-setup, legion-cursor-setup, scripts/install.sh, or router/delegation CLIs.
Impact
Can alter agent skills/MCP/subagents and route metered model traffic, but no unconsented install-time mutation or exfiltration was observed.
Mechanism
explicit AI-agent extension setup and local model-routing telemetry
Rationale
Source inspection shows explicit agent extension setup and model-routing capabilities, but not malicious install-time or import-time behavior. Because it mutates AI-agent control surfaces only on user command, this fits a warning rather than a publish block.
Evidence
package.jsonscripts/install.shscripts/uninstall.shlegion-setup/scripts/legion-codex-setup.shlegion-setup/scripts/legion-cursor-setup.shlegion-setup/scripts/legion-codex-mcp-merge.pylegion-setup/scripts/legion-cursor-mcp-merge.pylegion-setup/scripts/legion-codex-bridge.pylegion-setup/scripts/legion-cursor-bridge.pylegion-router/scripts/router.tslegion-router/scripts/sandcastle-run.mjs~/.codex/config.toml~/.codex/skills~/.cursor/mcp.json~/.cursor/agents~/.agents/skills~/.agents/sources/legion-core~/.agents/bin~/.claude/logs/legion/spans~/.claude/logs/costs${XDG_CONFIG_HOME:-~/.config}/legion/router
Network endpoints6
github.com/Opus-Aether-AI/legion-core.gitraw.githubusercontent.com/Opus-Aether-AI/legion-core/mainapi.anthropic.comapi.minimax.io/anthropiclocalhost:11434127.0.0.1:8082
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- Explicit setup commands mutate AI-agent control surfaces: ~/.codex/config.toml, ~/.codex/skills, ~/.cursor/mcp.json, ~/.cursor/agents.
- legion-setup/scripts/*-bridge.py generates Codex skills and Cursor agents from marketplace agents/commands.
- scripts/install.sh can clone/update Opus-Aether-AI/legion-core and optionally add a daily refresh cron.
- legion-router/scripts/router.ts proxies Anthropic/MiniMax/Ollama traffic and logs metering data under ~/.claude/logs.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Agent config mutation is behind explicit user-invoked setup/bin commands, not install-time execution.
- MCP merge helpers preserve unrelated user config and only reconcile marketplace-owned server names.
- router.ts binds to 127.0.0.1 and uses package-aligned model proxy/telemetry behavior.
- No credential harvesting loop or unrelated file exfiltration found in inspected source.
- sandcastle-run.mjs dynamic import/child_process usage is an explicit delegation/sandbox path.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
UrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcelegion-router/scripts/sandcastle-run.mjsView file
53try {
L54: ({ run, codex } = await import("@ai-hero/sandcastle"));
L55: ({ [providerName[sandbox]]: sandboxFactory } = await import(
Medium
Dynamic Require
Package source references dynamic require/import behavior.
legion-router/scripts/sandcastle-run.mjsView on unpkg · L53legion-observability/bench/tools/import-aider-polyglot.pyView file
•path = legion-[redacted]-aider-polyglot.py
kind = build_helper
sizeBytes = 11771
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
legion-observability/bench/tools/import-aider-polyglot.pyView on unpkgFindings
5 Medium2 Low
MediumDynamic Requirelegion-router/scripts/sandcastle-run.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperlegion-observability/bench/tools/import-aider-polyglot.py
MediumWildcard Dependency
LowFilesystem
LowUrl Strings