registry  /  @tuent/sentinel  /  0.4.0

@tuent/sentinel@0.4.0

AI agent behavioral security monitoring SDK

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Claude Code security monitor whose risky primitives are explicit setup actions for its documented hook/gateway integration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs 'sentinel init claude-code', then Claude Code hook events may invoke the local gateway.
Impact
Installs guardrail hooks and local state; can gate Claude Code tool calls, but not through npm lifecycle or hidden execution.
Mechanism
Documented user-invoked Claude hook installation and local policy gateway
Rationale
Static inspection shows sensitive Claude hook and daemon capabilities, but they are explicitly user-invoked, documented, reversible, and not delivered by install/import-time execution. Scanner findings map to package-aligned monitoring functions rather than malware or unconsented agent control hijacking.
Evidence
package.jsondist/cli.jsdist/chunk-A5LGAJHS.jsdist/chunk-LATQNIRW.jsdist/gatewayDaemon.jsREADME.md.sentinel.yaml.claude/settings.local.json~/.dahlia/cc-hook.mjs~/.dahlia/fail-closed-tiers.json~/.dahlia/sentinel-gateway.pid~/.dahlia/sentinel-gateway.token~/.dahlia/gateway.log
Network endpoints3
localhost:7847/api/sentinel/healthlocalhost:7847/api/sentinel/pre-tool-use/claude-codelocalhost:7847/api/sentinel/post-tool-use/claude-code

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/chunk-A5LGAJHS.js merges Claude Code hooks into .claude/settings.local.json and writes ~/.dahlia/cc-hook.mjs when init is explicitly run
  • dist/chunk-A5LGAJHS.js hook can spawn a detached local gateway daemon on Claude SessionStart
  • dist/chunk-LATQNIRW.js uses execSync only to run ps against a numeric PID from its own pid file
Evidence against
  • package.json has no install/postinstall/prepare lifecycle script; prepack is publish-time build only
  • dist/cli.js only calls runInitClaudeCode for user-invoked 'sentinel init claude-code' and runDisableClaudeCode for disable
  • README.md documents init writing Claude hooks, ~/.dahlia state, disable flow, and uninstall recovery
  • dist/chunk-A5LGAJHS.js refuses machine-wide ~/.claude install from home unless --global is passed
  • network use is local gateway health/API traffic or user-configured webhook/alert handling, not hardcoded exfiltration
  • No credential harvesting, remote payload fetch/exec, destructive behavior, or import-time execution found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 698 KB of source, external domains: example.com

Source & flagged code

4 flagged · loading source
dist/chunk-LATQNIRW.jsView file
2import { readFileSync, writeFileSync, unlinkSync, renameSync } from "fs"; L3: import { execSync } from "child_process"; L4: import { join } from "path";
High
Child Process

Package source references child process execution.

dist/chunk-LATQNIRW.jsView on unpkg · L2
dist/chunk-XII5LGU7.jsView file
25"**/.pgpass", L26: "**/.zsh_history", L27: "**/.config/gh/**", ... L62: "10.0.0.0/8", L63: // RFC1918 private (Class A) L64: "172.16.0.0/12", ... L76: ]; L77: var DEFAULT_DANGEROUS_SCHEMES = ["file:", "data:", "javascript:", "vbscript:"]; L78: ... L273: var DEFAULT_OVERLAY_PATH = path.join( L274: os.homedir(), L275: ".dahlia",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-XII5LGU7.jsView on unpkg · L25
dist/chunk-A5LGAJHS.jsView file
39import { join, resolve, sep } from "node:path"; L40: import { spawn } from "node:child_process"; L41: import { createRequire } from "node:module"; ... L44: const PORT = 7847; L45: const BASE_URL = \`http://localhost:\${PORT}\`; L46: const TIMEOUT_MS = 2000; L47: const HOME = process.env.HOME || process.env.USERPROFILE || ""; L48: const TIERS_PATH = join(HOME, ".dahlia", "fail-closed-tiers.json");
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/chunk-A5LGAJHS.jsView on unpkg · L39
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/chunk-A5LGAJHS.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-A5LGAJHS.jsView on unpkg

Findings

2 Critical2 High4 Medium5 Low
CriticalSame File Env Network Executiondist/chunk-A5LGAJHS.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-A5LGAJHS.js
HighChild Processdist/chunk-LATQNIRW.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-XII5LGU7.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings