AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a user-run daemon that connects to a Telecode relay and can optionally install first-party Claude Code hooks. This creates an agent control-surface extension, but it is explicit and package-aligned rather than an unconsented install-time hijack.
Static reason
No blocking static signals were detected.
Trigger
Running `telecode`, or explicitly running `telecode hooks install`.
Impact
Remote Telecode sessions can supervise/drive Claude agent work after user pairing and approvals; optional hooks route local Claude Code events through Telecode.
Mechanism
Outbound relay daemon plus optional Claude Code command hooks.
Rationale
Source inspection shows package-aligned daemon behavior with explicit pairing, outbound relay communication, optional user-command hook setup, and guarded permission handling. Because it mutates an AI-agent control surface only through an explicit first-party command, this is warning-level lifecycle risk rather than malware.
Evidence
package.jsonbin/telecode.mjssrc/main.tssrc/relay-url.tssrc/pairing.tssrc/daemon.tssrc/claude-agent-adapter.tssrc/adopt/hooks-install.tssrc/adopt/hook-bridge.tssrc/adopt/hook-socket.tssrc/credentials.tssrc/sessions/repo-manager.ts~/.telecode/credentials.json~/.telecode/repos~/.telecode/worktrees~/.telecode/sessions~/.telecode/adopt-config.json~/.telecode/run/hook.sock~/.claude/settings.json
Network endpoints2
wss://relay.telecode.io/wstelecode.io
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/main.ts exposes explicit `telecode hooks install` that writes Claude Code hooks to `~/.claude/settings.json`.
- src/adopt/hooks-install.ts registers command hooks for PreToolUse, SessionStart, SessionEnd, Notification, and Stop.
- src/daemon.ts dials outbound WebSocket relay and relays agent/session events to the service.
- src/claude-agent-adapter.ts runs Claude Agent SDK sessions that may execute approved tools.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Hook installation is an explicit CLI subcommand, not install-time or import-time mutation.
- src/adopt/hook-bridge.ts and src/adopt/hook-socket.ts fail closed to `{}` rather than auto-allowing tools.
- src/main.ts redacts tokens/private keys from logs and stores package credentials under `~/.telecode`.
- src/sessions/repo-manager.ts and worktree-manager use execFile with argument arrays, not shell interpolation.
- No credential harvesting, destructive behavior, remote payload download, or broad persistence found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStrings
CopyleftLicense
Source & flagged code
1 flagged · loading sourcebin/telecode.mjsView file
9register();
L10: await import(new URL('../src/main.ts', import.meta.url).href);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/telecode.mjsView on unpkg · L9Findings
3 Medium4 Low
MediumDynamic Requirebin/telecode.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowCopyleft License