AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `torya`, invokes the Hermes plugin, or manually runs integrations/hermes/hermes-hook/apply.py.
Impact
Can modify project files and run shell commands in a chosen workspace; Hermes hook can alter a local Hermes agent install for progress streaming.
Mechanism
user-invoked AI agent workspace mutation and explicit Hermes hook setup
Rationale
Source inspection shows no lifecycle hook or unconsented install-time mutation, and the risky primitives are aligned with an AI coding-agent CLI and explicit Hermes integration. Because the package ships user-command agent control-surface mutation and broad model-driven shell/file capabilities, warn rather than block.
Evidence
package.jsondist/cli.jsdist/tools.jsdist/registry.jsdist/catalog.jsdist/provider.jsdist/knowledge.jsintegrations/hermes/hermes-hook/apply.pyintegrations/hermes/torya_plugin/__init__.pyworkspace-relative files via dist/tools.js~/.torya/models_dev.json~/.torya/knowledge.jsonl~/hermes-agent/agent/tool_executor.py~/hermes-agent/agent/tool_progress_bridge.py
Network endpoints2
models.dev/api.jsongenerativelanguage.googleapis.com/v1beta/models/
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- integrations/hermes/hermes-hook/apply.py explicitly patches a Hermes install's agent/tool_executor.py and copies tool_progress_bridge.py when user runs it.
- integrations/hermes/torya_plugin/__init__.py registers a Hermes tool that shells out to `torya <goal> --cwd <ws> --json`.
- dist/tools.js exposes write/edit/append/read/grep/glob/bash tools to model-driven builds inside the selected workspace.
- dist/registry.js reads local provider credentials from ~/.torya, ~/.torydev, ~/.hermes, ~/.claude, ~/.codex and process.env.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/cli.js only runs on explicit CLI invocation via bin `torya`.
- dist/tools.js confines file operations to the resolved workspace path before writing or reading.
- Network calls are package-aligned provider/catalog operations, not hidden exfiltration endpoints.
- No obfuscated payloads, destructive install-time behavior, or persistence startup hooks found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceintegrations/hermes/hermes-hook/tool_progress_bridge.pyView file
•path = integrations/hermes/hermes-hook/tool_progress_bridge.py
kind = build_helper
sizeBytes = 2299
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
integrations/hermes/hermes-hook/tool_progress_bridge.pyView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperintegrations/hermes/hermes-hook/tool_progress_bridge.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings