AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface or install-time compromise was found. The real risk is explicit user-command mutation of AI-agent skill/hook/plugin configuration for h2a coordination.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `h2a install-skills`, `h2a host setup`, or `h2a host plugin --write/--scaffold`.
Impact
Adds h2a MCP/skill/hook integrations to local agent hosts; no automatic exfiltration or unconsented install-time control hijack observed.
Mechanism
first-party agent skill and hook configuration writes
Rationale
Because the agent-control writes are explicit, first-party setup commands rather than install-time or import-time mutation, this is not malicious under the firewall policy. It still warrants a warning due to agent extension lifecycle and control-surface changes when users invoke those commands.
Evidence
package.jsondist/bin.jsdist/index.jsdist/cli.jsdist/hosts/plugin.jsdist/runtime/upgrade/index.jsdist/runtime/local-files/paths.js~/.claude/skills/<skill>/SKILL.md~/.codex/skills/<skill>/SKILL.md~/.gemini/commands/<skill>.toml<project>/.claude/skills/<skill>/SKILL.md<project>/.codex/skills/<skill>/SKILL.md<project>/.gemini/commands/<skill>.toml<scaffold>/plugins/h2a-drumbeat/.codex-plugin/plugin.json<scaffold>/plugins/h2a-drumbeat/hooks/hooks.json<scaffold>/.agents/plugins/marketplace.json
Network endpoints5
127.0.0.1:8787/h2a/envelopes127.0.0.1:8788/h2a/drive127.0.0.1:8788/h2a/mirrorclaude.ai/api/mcp/auth_callbackclaude.com/api/mcp/auth_callback
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/cli.js exposes explicit `h2a install-skills --host <claude|codex|gemini|agy>` that writes bundled skills into user/project agent skill directories.
- dist/cli.js `host plugin --write/--scaffold` writes Claude/Gemini/Codex hook/plugin config when invoked with flags.
- dist/hosts/plugin.js renders host lifecycle hook commands for Stop and UserPromptSubmit that call `h2a drumbeat record` and `h2a drive receive`.
- dist/runtime/upgrade/index.js can run `npm i -g @sentropic/h2a@latest`, but only through explicit upgrade or opt-in auto-upgrade flags.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts; only `prepack`.
- dist/bin.js only dispatches CLI subcommands; dynamic import is limited to optional `@sentropic/h2a-runtime` for non-native runtime verbs.
- Network listeners/senders in dist/cli.js are user-invoked `remote`, `drive`, `mirror`, and MCP serve commands, binding localhost by default where applicable.
- No import-time credential harvesting or exfiltration found in inspected entrypoints.
- Agent config writes are first-party h2a setup commands, guarded by explicit flags and merge/refuse behavior rather than install-time mutation.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/bin.jsView file
40try {
L41: rt = (await import(REMOTE_RUNTIME_PKG));
L42: }
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/bin.jsView on unpkg · L40dist/cli.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @sentropic/h2a@0.81.0
matchedIdentity = npm:QHNlbnRyb3BpYy9oMmE:0.81.0
similarity = 0.850
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.jsView on unpkgFindings
1 High3 Medium4 Low
HighPrevious Version Dangerous Deltadist/cli.js
MediumDynamic Requiredist/bin.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings