AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The bundled first-party plugin installs lifecycle hooks that capture agent prompts, tool activity, and commit metadata for persistent memory. Data is posted to a local daemon by default, but an operator can configure `AGENTMEMORY_URL` to another endpoint. No unconsented npm install-time mutation or concrete malicious payload was found.
Decision evidence
public snapshot- `plugin/hooks/hooks.json` registers 12 AI-agent lifecycle commands.
- `dist/hooks/prompt-submit.mjs` sends prompts, cwd, and session data to `AGENTMEMORY_URL`.
- `dist/hooks/post-commit.mjs` collects Git commit metadata and posts it to `AGENTMEMORY_URL`.
- `dist/connect-BSx9yV6v.mjs` can modify agent MCP configuration through explicit `connect` use.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Hooks default to `http://localhost:3111`; no hidden external collection host was found.
- `AGENTMEMORY_INJECT_CONTEXT` defaults off in context-injecting hooks.
- Cloud metadata address handling in `dist/index.mjs` is an SSRF denylist check.
- Child-process use is bounded to Git, process management, editors, and explicit CLI operations.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/src-B1FeW6Q-.mjsView on unpkg · L6Source reaches cloud instance metadata or link-local credential endpoints.
dist/src-B1FeW6Q-.mjsView on unpkg · L6A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/hooks/post-commit.mjsView on unpkg · L1