registry  /  @shomra/agent  /  0.2.8

@shomra/agent@0.2.8

Shomra — a local-first security scanner and runtime firewall for AI agents, MCP servers, prompts, and models. Gates AI artifacts in your editor and CI.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `shomra install-hook`, `shomra protect`, or an installed agent hook later invokes `shomra tool-guard`/`result-guard`.
Impact
Persistent interception of supported agent tool calls and possible transmission of scanned tool or discovery data to the configured Shomra backend.
Mechanism
Explicit coding-agent hook installation with optional configured-backend telemetry.
Rationale
Source inspection does not confirm malicious behavior or lifecycle abuse. Because explicit commands persistently modify AI-agent control surfaces and can route activity to a configured backend, this warrants a warning under the stated policy.
Evidence
package.jsonshomra.mjsdiscovery.mjsguard-signals.mjscode-sast.mjs~/.shomra/config.json~/.codex/hooks.json~/.claude/settings.json~/.gemini/settings.json~/.cursor/hooks.json~/.aider.conf.yml
Network endpoints1
api.github.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `shomra.mjs` installs persistent Pre/Post tool hooks into coding-agent configs when `install-hook` or `protect` is run.
  • Installed hooks invoke `shomra tool-guard` and `result-guard`, inspect tool inputs/results, and may send policy-relevant data to a user-configured backend.
  • `discovery.mjs` reads local AI-tool configs and selected API-key environment variables; `report` can transmit discovery data after configuration.
Evidence against
  • `package.json` contains no `preinstall`, `install`, or `postinstall` lifecycle script.
  • Hook/config writes are reachable only through explicit CLI commands, not import-time behavior.
  • Backend URL and key are absent by default; `resolveSettings` makes remote reporting opt-in.
  • `discovery.mjs` only invokes fixed process-listing commands (`ps` or `tasklist`); no downloaded or dynamically executed payload was found.
  • The reported NUL bytes in `shomra.mjs` are an intentional temporary glob-conversion sentinel, not hidden executable content.
  • No bidi control bytes were found in `guard-signals.mjs`; its cloud-metadata and eval references are scanner detection patterns.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 360 KB of source, external domains: 127.0.0.1, api.github.com, example.com, json.schemastore.org, shomra.dev

Source & flagged code

6 flagged · loading source
discovery.mjsView file
21import os from 'node:os'; L22: import { execFileSync } from 'node:child_process'; L23:
High
Child Process

Package source references child process execution.

discovery.mjsView on unpkg · L21
guard-signals.mjsView file
116contains invisible/control Unicode U+180E (mongolian vowel separator) export const INVISIBLE_CHARS_RE = /[؜ᅟᅠ<U+180E><U+200B><U+200C><U+200E><U+200F><U+202A>-<U+202E><U+2060>-⁤<U+2066>-<U+2069>ㅤ<U+FEFF>ᅠ-]|[\u{E0000}-\u{E007F}\u{E0100}-\u{E01EF}]/u;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

guard-signals.mjsView on unpkg · L116
Trigger-reachable chain: manifest.bin -> shomra.mjs -> guard-signals.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

guard-signals.mjsView on unpkg
9* unreachable. This module lets the guard block the unambiguously-malicious L10: * cases (curl|sh, reverse shells, base64 RCE, live secrets) locally and L11: * instantly, so protection survives a slow/down/blocked backend. ... L66: { name: 'Pipe-to-shell installer (curl … | sh)', re: /\b(curl|wget)\b[^\n|]{0,200}\|\s*(sudo\s+)?(ba|z|k)?sh\b/i, severity: 'CRITICAL' }, L67: { name: 'PowerShell download-and-run (iwr/curl … | iex)', re: /\b(iwr|curl|wget|invoke-webrequest|invoke-restmethod|irm)\b[^\n|]{0,200}\|\s*(iex|invoke-expression)\b/i, severity: '... L68: { name: 'Invoke-Expression of downloaded content', re: /\b(iex|invoke-expression)\b[^\n]{0,120}(downloadstring|net\.webclient|\(\s*(iwr|irm|invoke-)|\$\()/i, severity: 'CRITICAL' }... ... L73: { name: 'Fetches from a raw IP address', re: /\b(curl|wget|iwr|irm|invoke-webrequest|invoke-restmethod)\b[^\n]{0,220}https?:\/\/\d{1,3}(\.\d{1,3}){3}/i, severity: 'HIGH' }, L74: { name: 'Writes to shell profile / SSH keys / crontab', re: /(\.bashrc|\.zshrc|\.bash_profile|\.profile|authorized_keys|id_rsa\b|\bcrontab\b)/i, severity: 'HIGH' }, L75: { name: 'Recursive force delete (rm -rf)', re: /\brm\s+-[a-z]*r[a-z]*f|\brm\s+-[a-z]*f[a-z]
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

guard-signals.mjsView on unpkg · L9
75{ name: 'Recursive force delete (rm -rf)', re: /\brm\s+-[a-z]*r[a-z]*f|\brm\s+-[a-z]*f[a-z]*r/i, severity: 'HIGH', refine: rmTargetsRealData }, L76: // BARE `eval(`/`exec(` only — the lookbehind drops method calls that merely end L77: // in those letters (`db.exec(`, `RE.exec(`, `page.$eval(`, `$pdo->exec(`).
Low
Eval

Package source references a known benign dynamic code generation pattern.

guard-signals.mjsView on unpkg · L75
shomra.mjsView file
16Cross-file remote execution chain: shomra.mjs spawns guard-signals.mjs; helper contains network access plus dynamic code execution. L16: import crypto from 'node:crypto'; L17: import { execSync } from 'node:child_process'; L18: import { fileURLToPath } from 'node:url'; ... L23: L24: // Read from package.json rather than hardcoding: the two spellings drifted (this L25: // const said 0.2.0 while the package was already 0.2.4), so `shomra --version` ... L31: const here = path.dirname(fileURLToPath(import.meta.url)); L32: return JSON.parse(fs.readFileSync(path.join(here, 'package.json'), 'utf8')).version ?? '0.0.0'; L33: } catch { ... L36: })(); L37: const CONFIG_DIR = path.join(os.homedir(), '.shomra'); L38: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

shomra.mjsView on unpkg · L16

Findings

2 Critical4 High3 Medium5 Low
CriticalTrojan Source Unicodeguard-signals.mjs
CriticalTrigger Reachable Dangerous Capabilityguard-signals.mjs
HighChild Processdiscovery.mjs
HighShell
HighCloud Metadata Accessguard-signals.mjs
HighCross File Remote Execution Contextshomra.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalguard-signals.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings