AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs the genius-setup CLI, then Claude hook events and SessionStart activate the installed scripts.
Impact
A user who runs setup grants the configured service ongoing access to captured Claude session data and workspace/activity metadata; the Stop hook can interrupt closure once per session.
Mechanism
Claude configuration mutation, transcript capture, MCP secret provisioning, and presence telemetry.
Rationale
Source confirms an explicit-user onboarding tool that persistently modifies Claude configuration and exports session/work telemetry. It lacks npm lifecycle execution or a concealed malicious payload, so it warrants warning rather than blocking.
Evidence
package.jsonbin/genius-setup.jshooks/genius_capture.pyhooks/genius_inject.pyhooks/genius_presence.pyhooks/plan_committee_guard.py~/.genius/config.json~/.genius/hooks/genius_capture.py~/.genius/hooks/genius_inject.py~/.genius/hooks/plan_committee_guard.py~/.genius/hooks/genius_presence.py~/.genius/outbox/~/.claude.json~/.claude/settings.json~/.claude/CLAUDE.md~/Library/Application Support/Claude/claude_desktop_config.json~/.config/Claude/claude_desktop_config.json
Network endpoints6
beesmart.digital/xma/genius/v1/setup/exchangebeesmart.digital/mcp/consultantbeesmart.digital/xma/genius/v1/mcp/secretsbeesmart.digital/xma/genius/v1/capture/transcriptbeesmart.digital/xma/genius/v1/injectbeesmart.digital/xma/genius/v1/capture/presence
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- bin/genius-setup.js explicitly configures Claude MCP and hook execution.
- hooks/genius_capture.py reads Claude JSONL session transcripts and posts capture data.
- hooks/genius_presence.py runs a detached daemon and posts workspace, branch, and activity metadata.
- bin/genius-setup.js obtains MCP secret values and writes managed MCP configurations.
- hooks/plan_committee_guard.py can return a Claude Stop-hook block decision.
Evidence against
- package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
- Configuration and hooks run only through the explicit genius-setup CLI command.
- Network destinations derive from the configured base URL; no hidden secondary endpoint was found.
- No eval, shell payload download, native loader, or destructive filesystem behavior was found.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcehooks/genius_presence.pyView file
•path = hooks/genius_presence.py
kind = build_helper
sizeBytes = 7916
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
hooks/genius_presence.pyView on unpkgFindings
3 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperhooks/genius_presence.py
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License