AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `wfm skill install` or starts a workflow with a real adapter.
Impact
User-authorized modification of agent skill directories and execution of configured local agent CLIs.
Mechanism
Explicit agent-skill installation and workflow-driven subprocess execution.
Rationale
Source inspection found an explicit user-invoked agent-extension installer, not malware. Per policy, this warrants a warning for agent capability abuse rather than a publish block.
Evidence
package.jsondist/index.jsdist/piAgentExecutor.jsdist/acpExecutor.jsdist/remote/api.jsdist/remote/telemetry.jsdist/remote/config.js
Network endpoints1
whairnylpdvxxgbygbzu.supabase.co/functions/v1/
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` implements `wfm skill install`.
- That command can write bundled skills to `.claude/skills` or `.config/opencode/skill`.
- `dist/piAgentExecutor.js` spawns configured agent commands during explicit workflow runs.
- `dist/remote/api.js` sends registry and opt-in telemetry requests to Supabase.
Evidence against
- `package.json` has no preinstall/install/postinstall hook.
- The only lifecycle entry references missing `scripts/install-git-hooks.mjs`; no shipped lifecycle payload exists.
- Skill writes require the explicit `wfm skill install` command.
- No eval/vm, credential harvesting, stealth persistence, or exfiltration path was found.
- Telemetry is gated on an existing workflow-manager auth token and sends run metadata.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @workflow-manager/runner@0.7.0
matchedIdentity = npm:[redacted]:0.7.0
similarity = 0.769
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgFindings
1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings