AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agent-hq hint`, `agent-hq register`, `agent-hq init`, or invokes its MCP worker tools.
Impact
A consenting operator can grant this package an MCP integration and launch configured coding-worker processes.
Mechanism
Prompted AI-agent configuration registration and configured local CLI delegation.
Rationale
This is not concretely malicious, but it deliberately modifies AI-agent control surfaces and launches configured agent workers when explicitly invoked. Per policy, that explicit-user-command agent-control capability warrants a warning rather than a publish block.
Evidence
package.jsondist/server.jsdist/hint-cli.jsdist/register-cli.jsdist/runners/process.jsdist/console-server.jsdist/tool-lifecycle.js
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/hint-cli.js` can add a Claude SessionStart hook and Codex AGENTS.md guidance.
- `dist/register-cli.js` can register this MCP server with Claude, Codex, and Cursor.
- `dist/runners/process.js` spawns configured local worker CLIs.
- `dist/tool-lifecycle.js` exposes MCP tools that launch and cancel worker jobs.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `dist/server.js` only runs when its CLI bin is invoked; import then dispatches explicit commands.
- `dist/hint-cli.js` requires an explicit hint command plus per-target confirmation, except explicit `--yes`.
- `dist/register-cli.js` refuses non-TTY writes and otherwise prompts per host.
- `dist/console-server.js` binds its authenticated console to `127.0.0.1`; no external endpoint was confirmed.
- No eval, native loading, credential exfiltration, remote payload retrieval, or stealth persistence was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/console/fonts/archivo-variable-latin.woff2View file
•path = dist/console/fonts/archivo-variable-latin.woff2
kind = high_entropy_blob
sizeBytes = 34940
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/console/fonts/archivo-variable-latin.woff2View on unpkgdist/console-server.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = agent-hq-mcp@0.10.3
matchedIdentity = npm:YWdlbnQtaHEtbWNw:0.10.3
similarity = 0.437
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/console-server.jsView on unpkgFindings
2 High3 Medium4 Low
HighShips High Entropy Blobdist/console/fonts/archivo-variable-latin.woff2
HighPrevious Version Dangerous Deltadist/console-server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings