AI Security Review
scanned 2d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agent-hq register` and confirms prompts; workers run only after an MCP or CLI task request.
Impact
User-approved host-agent configuration changes and execution of configured local worker CLIs.
Mechanism
Confirmed, prompt-gated AI-agent MCP registration and local CLI-worker spawning.
Rationale
This is not concrete malware or an install-time hijack, but it has an explicit-user-command AI-agent configuration mutation capability that merits a warning under the stated policy.
Evidence
package.jsondist/register-cli.jsdist/runners/process.jsdist/console-server.jsdist/secret-store.jsdist/console/fonts/archivo-variable-latin.woff2~/.codex/config.toml~/.cursor/mcp.json
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/register-cli.js` writes MCP registrations to `~/.codex/config.toml` and `~/.cursor/mcp.json`.
- Those AI-agent config mutations are activated by explicit `agent-hq register` and per-target terminal confirmation.
- `dist/runners/process.js` spawns configured local CLI workers, enabling delegated coding-agent execution.
- `dist/update-cli.js` supports an explicit self-update command that invokes npm.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `dist/register-cli.js` prints snippets and exits without a TTY rather than mutating host config.
- `dist/console-server.js` binds its management UI only to `127.0.0.1` with a random token.
- `dist/secret-store.js` stores supplied provider keys in the OS keychain; no source evidence of secret exfiltration.
- The high-entropy flagged blob is a valid WOFF2 font in `dist/console/fonts/archivo-variable-latin.woff2`.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/console/fonts/archivo-variable-latin.woff2View file
•path = dist/console/fonts/archivo-variable-latin.woff2
kind = high_entropy_blob
sizeBytes = 34940
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/console/fonts/archivo-variable-latin.woff2View on unpkgdist/console-server.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = agent-hq-mcp@0.7.2
matchedIdentity = npm:YWdlbnQtaHEtbWNw:0.7.2
similarity = 0.483
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/console-server.jsView on unpkgFindings
2 High3 Medium4 Low
HighShips High Entropy Blobdist/console/fonts/archivo-variable-latin.woff2
HighPrevious Version Dangerous Deltadist/console-server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings