AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `lgtm setup` or `lgtm update`; review tools run only when invoked.
Impact
Can install or update this package's agent integrations and write temporary review files in the selected workspace.
Mechanism
Explicit first-party agent-plugin setup and local Git/Markdown review server
Rationale
No concrete malicious behavior is established. The explicit agent-integration setup is a real privileged capability, so it warrants a warning under the firewall policy despite being package-aligned and user-invoked.
Evidence
package.jsonbin/lgtm.mjsdist/cli.mjsextensions/index.js.mcp.json.mcp.claude.json.codex-plugin/plugin.json.claude-plugin/plugin.jsonskills/lgtm/SKILL.md.lgtm/<review-id>/manifest.json.lgtm/<review-id>/payload.json.lgtm/<review-id>/review.json.lgtm/<review-id>/server.json.lgtm/<review-id>/server.pid
Network endpoints1
github.com/rendotdev/lgtm
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.mjs` implements explicit `lgtm setup`/`update` commands that spawn Pi, Claude, and Codex plugin-management commands.
- `dist/cli.mjs` setup can add the first-party `rendotdev/lgtm` marketplace and `lgtm@rendotdev` plugin.
- `extensions/index.js` registers agent tools that read Git diffs and write review artifacts under the active workspace `.lgtm/` directory.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- No direct outbound HTTP, WebSocket, DNS, or credential-exfiltration primitive appears in `dist/cli.mjs` or `extensions/index.js`.
- `dist/cli.mjs` binds the review server to `127.0.0.1` and opens its local URL in the browser.
- Agent integration mutation is tied to explicit CLI `setup`/`update`, not import-time execution.
- `extensions/index.js` exports a Pi extension registration function; loading it does not auto-install integrations.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
2 flagged · loading sourcedist/web/assets/sass-DXrisJhu.jsView file
1var e=[Object.freeze(JSON.parse(`{"displayName":"Sass","fileTypes":["sass"],"foldingStartMarker":"/\\\\*|^#|^\\\\*|^\\\\b|\\\\*#?region|^\\\\.","foldingStopMarker":"\\\\*/|\\\\*#?e...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/web/assets/sass-DXrisJhu.jsView on unpkg · L1dist/web/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2View file
•path = dist/web/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2
kind = high_entropy_blob
sizeBytes = 7716
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/web/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2View on unpkgFindings
1 High4 Medium5 Low
HighShips High Entropy Blobdist/web/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2
MediumDynamic Requiredist/web/assets/sass-DXrisJhu.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings