AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
Explicit `treeseed-agents`/service runtime execution with configured provider and Codex environment variables.
Impact
Can modify an assigned repository worktree and create a configured Codex auth file.
Mechanism
Configured AI-agent orchestration with workspace-write and MCP tool dispatch.
Rationale
Source inspection found a real, high-impact AI-agent capability but no concrete malicious chain. Mark as a warning for dangerous runtime capability rather than block it.
Evidence
package.jsondist/scripts/prepare.jsdist/agents/adapters/execution-codex.jsdist/agents/adapters/codex-auth.jsdist/agents/tools/agent-tool-mcp-server.jsdist/provider/config.jsdist/scripts/treeseed-agents.jsdist/scripts/treeseed-agent-service.jsdist/agents/registry.jsdist/provider/client.js
Network endpoints1
api.treeseed.dev
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/agents/adapters/execution-codex.js` starts Codex with workspace-write capability and approved assignment-scoped MCP tools.
- `dist/agents/adapters/codex-auth.js` can create `CODEX_HOME/auth.json` from explicitly supplied environment credentials.
- `dist/provider/config.js` defaults provider management traffic to `https://api.treeseed.dev`.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall`; its `prepare` target `scripts/prepare.ts` is absent from the packed package.
- CLI wrappers dispatch only fixed internal scripts after explicit user commands.
- Codex workspace-write requests require a worktree and non-empty allowed paths.
- Credential creation uses supplied `TREESEED_CODEX_AUTH_JSON` data and does not harvest existing credentials.
- No source evidence of hidden exfiltration, destructive install behavior, remote payload download, or broad foreign agent-config mutation.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcedist/agents/registry.jsView file
79}
L80: function resolveSelfContractImport(importPath) {
L81: const relativeContractPath = SELF_CONTRACT_IMPORTS[importPath];
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/agents/registry.jsView on unpkg · L79docker-entrypoint.shView file
•path = docker-entrypoint.sh
kind = build_helper
sizeBytes = 498
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
docker-entrypoint.shView on unpkgFindings
5 Medium6 Low
MediumDynamic Requiredist/agents/registry.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdocker-entrypoint.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License