registry  /  agentlenspro  /  2.0.0

agentlenspro@2.0.0

AgentlensPro — professional observability for AI agent sessions: OTEL traces and local log file ingestion, CLI + server + skills. Standalone (npx) and Docker.

AI Security Review

scanned 14m ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Starting the standalone server automatically mutates several AI-agent configuration surfaces and installs Claude command hooks. The configured telemetry exporter is local, and the server persists collected agent telemetry under `~/.agentlens`; no outbound exfiltration was confirmed.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `agentlenspro server start` or otherwise starts `standalone/server.js`.
Impact
Agent prompts, tool details, responses, and raw API bodies can be captured locally; other tool hooks may be removed.
Mechanism
Runtime auto-configuration of Claude, Codex, and Copilot telemetry plus Claude hooks.
Rationale
The scanner's claimed environment-to-external-exfiltration chain is not supported by inspected source: relevant endpoints are loopback and fetches are local UI/API calls. However, automatic multi-agent configuration and hook mutation on server startup warrants a warning.
Evidence
package.jsonstandalone/cli.jsstandalone/server.jsscripts/safe_config_edit.py~/.claude/settings.json~/.codex/config.tomlVS Code-family/User/settings.json~/.agentlens/telemetry-managed.json~/.agentlens/otel-bodies~/.agentlens
Network endpoints3
localhost:4316/mcplocalhost:4318localhost:3000

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `standalone/server.js` invokes auto-configuration when the server starts.
  • It writes Claude telemetry and hook settings, Codex `config.toml`, and VS Code Copilot settings.
  • Claude hooks register `agentlenspro hook` and `agentlenspro gate`; setup also removes matching Spyglass hooks.
  • Telemetry enables prompt, tool-content, assistant-response, and raw-body collection into `~/.agentlens`.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Observed telemetry endpoints are loopback `http://localhost:<port>`.
  • No source-backed external credential-exfiltration endpoint was found.
  • `safe_config_edit.py` constrains edits, backs up files, and verifies declared changes.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 1.87 MB of source, external domains: 127.0.0.1, github.com, json-schema.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

8 flagged · loading source
standalone/server.jsView file
154"goldeneye": { inputPerMTok: 1.25, cacheReadPerMTok: 0.125, cacheWritePerMTok: 0, outputPerMTok: 10, contextWindowTokens: 0, multiplier: 0, multiplierAnnualPostJun1: 0 }, L155: // ── OpenCode Zen https://opencode.ai/docs/zen/ ──────────────────────────── L156: // big-pickle: OpenCode's stealth model, free during limited evaluation period. ... L1355: // validation function arguments L1356: data: new codegen_1.Name("data"), L1357: // data passed to validation function ... L2382: id = normalizeId(id); L2383: return resolver.resolve(baseId, id); L2384: } ... L3245: for (i = 0; i < input.length; i++) { L3246: code = input[i].charCodeAt(0); L3247: if (code === 48) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

standalone/server.jsView on unpkg · L154
154Trigger-reachable chain: manifest.bin -> standalone/cli.js -> standalone/server.js L154: "goldeneye": { inputPerMTok: 1.25, cacheReadPerMTok: 0.125, cacheWritePerMTok: 0, outputPerMTok: 10, contextWindowTokens: 0, multiplier: 0, multiplierAnnualPostJun1: 0 }, L155: // ── OpenCode Zen https://opencode.ai/docs/zen/ ──────────────────────────── L156: // big-pickle: OpenCode's stealth model, free during limited evaluation period. ... L1355: // validation function arguments L1356: data: new codegen_1.Name("data"), L1357: // data passed to validation function ... L2382: id = normalizeId(id); L2383: return resolver.resolve(baseId, id); L2384: } ... L3245: for (i = 0; i < input.length; i++) { L3246: code = input[i].charCodeAt(0); L3247: if (code === 48) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

standalone/server.jsView on unpkg · L154
9250var os12 = __toESM(require("os")); L9251: var import_child_process4 = require("child_process"); L9252:
High
Child Process

Package source references child process execution.

standalone/server.jsView on unpkg · L9250
36119otlpServer.listen(OTLP_PORT, BIND_HOST, () => { L36120: console.log(`[AgentLens] OTLP receiver \u2192 http://localhost:${OTLP_PORT}`); L36121: }); ... L36132: console.log(`[AgentLens] MCP server \u2192 http://localhost:${MCP_PORT}/mcp`); L36133: if (process.env.AGENTLENS_OPEN_BROWSER === "1" || process.argv.includes("--open")) { L36134: const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "" "${url}"` : `xdg-open "${url}"`; L36135: (0, import_child_process4.exec)(cmd, (err) => { L36136: if (err) console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

standalone/server.jsView on unpkg · L36119
3071sourceCode = this.opts.code.process(sourceCode, sch); L3072: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L3073: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

standalone/server.jsView on unpkg · L3071
standalone/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = agentlenspro@1.0.1 matchedIdentity = npm:YWdlbnRsZW5zcHJv:1.0.1 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

standalone/cli.jsView on unpkg
45Cross-file remote execution chain: standalone/cli.js spawns standalone/server.js; helper contains network access plus dynamic code execution. L45: // src/safeConfigEdit.ts L46: var import_child_process = require("child_process"); L47: var path = __toESM(require("path")); L48: var SafeEditError = class extends Error { L49: constructor(message, exitCode) { L50: super(message); ... L58: if (cachedPythonBin) return cachedPythonBin; L59: const candidates = process.platform === "win32" ? ["python", "py", "python3"] : ["python3", "python"]; L60: for (const bin of candidates) { ... L72: const candidates = [ L73: path.join(__dirname, "..", "scripts", "safe_config_edit.py"), L74: path.join(__dirname, "..", "..", "scripts", "safe_config_edit.py")
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

standalone/cli.jsView on unpkg · L45
scripts/safe_config_edit.pyView file
path = scripts/safe_config_edit.py kind = build_helper sizeBytes = 21359 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/safe_config_edit.pyView on unpkg

Findings

3 Critical4 High4 Medium6 Low
CriticalCredential Exfiltrationstandalone/server.js
CriticalTrigger Reachable Dangerous Capabilitystandalone/server.js
CriticalPrevious Version Dangerous Deltastandalone/cli.js
HighChild Processstandalone/server.js
HighShell
HighSame File Env Network Executionstandalone/server.js
HighCross File Remote Execution Contextstandalone/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/safe_config_edit.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalstandalone/server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings