AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit codematrix-daemon run or server-driven agent:start after daemon registration
Impact
Can cause managed agents to run with broad local permissions under CodeMatrix control, but source inspection ties this to the package's stated daemon function rather than covert install-time hijack.
Mechanism
user-invoked AI CLI spawning with MCP config injection and auto-approval flags
Rationale
Static source inspection supports a warning for dangerous user-invoked AI-agent orchestration and config mutation, not a publish block. The scanner's install-script hit is noisy because the lifecycle script only chmods a bundled node-pty helper.
Evidence
package.jsonREADME.mddist/cli.jsdist/daemon.jsdist/chat-bridge-mm.js~/.codematrix/agents/<agentId>/mcp-config.json<workDir>/AGENTS.md<workDir>/.gemini/settings.json<workDir>/.qwen/settings.json<workDir>/.qoder/codematrix-mcp.json<hermesHome>/config.yaml<hermesHome>/.env<hermesHome>/auth.json
Network endpoints2
api.slock.ailocalhost:8065
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/daemon.js spawns Claude/Codex/Gemini/Qoder/Qwen/Kimi CLIs with auto-approval or bypass flags after daemon commands.
- dist/daemon.js writes AI-agent MCP/config files such as AGENTS.md, .gemini/settings.json, .qwen/settings.json, .qoder/codematrix-mcp.json, and ~/.codematrix/agents/*/mcp-config.json.
- dist/daemon.js Hermes setup copies ~/.hermes/.env and auth.json into an isolated HERMES_HOME.
- dist/daemon.js connects to a configured server and exposes chat/task/file MCP bridge behavior.
Evidence against
- package.json postinstall only chmods bundled node-pty spawn-helper and does not modify AI-agent configs.
- dist/cli.js requires explicit codematrix-daemon run with --server-url and --api-key before daemon behavior starts.
- Network calls are to user/configured CodeMatrix/Mattermost-style endpoints, not hardcoded exfiltration infrastructure.
- README.md describes the package as a local CodeMatrix agent process manager for AI CLIs and WebSocket server connection.
- No import-time execution beyond exports was found in dist/daemon.js.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join('node_modules','node-pty','prebuilds',process.platform+'-'+process.arch,'spawn-helper'),0o755)}catch{}"
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join('node_modules','node-pty','prebuilds',process.platform+'-'+process.arch,'spawn-helper'),0o755)}catch{}"
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/daemon.jsView file
355const moduleName = "node-pty";
L356: pty = await import(
L357: /* webpackIgnore: true */
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/daemon.jsView on unpkg · L355Findings
1 Critical1 High4 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/daemon.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings