AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `bin/claude-collab-config.js` explicitly writes local agent configuration.
- `src/config-store.js` stores `api_key` plaintext in `~/.claude-collab/config.json`.
- `src/cli.js` sends the configured API key in `X-API-Key` to a configurable MCP host.
- `src/file-hook.js` writes pending-message JSON into an external OpenClaw-related directory.
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- All network calls are activated by exported APIs or user-invoked CLI commands.
- The default network target is local `127.0.0.1:3010`; no hard-coded external host exists.
- No child-process, eval, dynamic loading, persistence, deletion, or credential harvesting was found.
- Config CLI redacts the API key when displaying it.
Source & flagged code
4 flagged · loading source`bin/claude-collab-config.js` explicitly writes local agent configuration.
bin/claude-collab-config.jsView on unpkg`src/config-store.js` stores `api_key` plaintext in `~/.claude-collab/config.json`.
src/config-store.jsView on unpkg`src/cli.js` sends the configured API key in `X-API-Key` to a configurable MCP host.
src/cli.jsView on unpkg`src/file-hook.js` writes pending-message JSON into an external OpenClaw-related directory.
src/file-hook.jsView on unpkg