AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `plandesk factory init` in a repository, then Claude Code lifecycle events occur.
Impact
Repository-local agent behavior is extended; hook scripts may read the project Plan Desk token and transmit progress to its configured server.
Mechanism
Explicit agent-hook installation and token-authenticated Plan Desk API calls.
Rationale
This is an explicit-user-command agent configuration mutation with lifecycle hooks, not concrete malicious install-time behavior or stealthy exfiltration. Flag as warn for agent-extension capability risk.
Evidence
package.jsonbin/plandeskdist/connect.jsdist/connect-artifacts.jsdist/factory.jsdist/curator-templates.jsdist/progress-checkpoint.jsdist/cli.js.claude/settings.json.agents/curator/hooks/session-start.sh.agents/curator/hooks/checkpoint.sh.plandesk/token
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `plandesk factory init` writes repo `.claude/settings.json` hook entries.
- Installed SessionStart/Stop/PreCompact hooks execute package-generated shell scripts.
- Hooks read `.plandesk/token` and post progress to configured Plan Desk server.
- `--force` can bypass the guard against global agent-config directories.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hooks.
- Agent configuration changes require explicit `connect` or `factory init` commands.
- Factory refuses home/global config directories unless explicitly forced.
- No child-process APIs, eval, dynamic imports, or credential harvesting found.
- Network requests target the user-configured Plan Desk server; default connection URL is loopback.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceclaude/settings.jsonView file
•Published source reference
Medium
Ai Review Evidence
`plandesk factory init` writes repo `.claude/settings.json` hook entries.
claude/settings.jsonView on unpkgFindings
7 Medium4 Low
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidenceclaude/settings.json
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings