AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `vortex init` or `vortex global-setup`.
Impact
Later Claude events execute the package CLI and may apply VortEX workflow rules across the configured instance or globally.
Mechanism
Writes Claude hook configuration and managed VortEX instruction blocks.
Rationale
This is not malicious under the install-time boundary, but it is a real explicit-user-command AI-agent control-surface mutation that warrants a warning. No package lifecycle hook performs the mutation automatically.
Evidence
package.jsonbin/vortex.mjsdist/index.jsdist/chunk-PGYGGA6V.jstemplates/config/vortex.json.claude/settings.json~/.claude/settings.json~/.claude/CLAUDE.md~/.claude/vortex-global.json.agent/vortex.json
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` implements explicit `vortex global-setup` writes to `~/.claude`.
- `dist/chunk-PGYGGA6V.js` adds Claude session, tool, prompt, and stop hooks.
- `vortex init` writes project `.claude/settings.json` and framework templates.
- The installed hook commands invoke `bin/vortex.mjs` on later agent events.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- All agent-control writes require `vortex init` or `vortex global-setup`; no import-time setup found.
- No credential harvesting or remote exfiltration code was confirmed.
- The only direct fetch found targets guarded loopback TeamClaude status.
- Default template config sets `sync.autoPush` to false.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
4352handler: async (input) => {
L4353: const { sqlite, vector, recall: recallEngine, sessionArchive } = await import("@vortex-os/memory-extended");
L4354: const args = parseRecallArgs(input.rest, defaultK);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L4352dist/dist-C7L3PQCH.jsView file
1826// ── secrets / credentials ──
L1827: ["private-key", /-----BEGIN (?:RSA |EC |OPENSSH |PGP |DSA )?PRIVATE KEY-----/i],
L1828: ["jwt", /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/],
...
L1867: ["credential-note", /(?:\bpass(?:word|wd)\b|\bpw\b|\bpwd\b|비밀번호|비번|암호|패스워드)\s*[-:=]?\s+(?=\S*\d)\S{3,}/iu],
L1868: // long opaque token: 40+ base64/hex run (catches prefix-less secrets + hashes; may
L1869: // also flag a sha — acceptable, fail toward blocking).
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/dist-C7L3PQCH.jsView on unpkg · L1826Findings
4 Medium6 Low
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/dist-C7L3PQCH.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings