registry  /  agentlenspro  /  1.0.0

agentlenspro@1.0.0

AgentlensPro — professional observability for AI agent sessions: OTEL traces and local log file ingestion, CLI + server + skills. Standalone (npx) and Docker.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Starting the standalone server automatically modifies global AI-agent telemetry configuration by default. It redirects detailed agent telemetry to a local AgentLens collector and installs a Claude hook.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the package standalone server or invokes the primary CLI path that starts it.
Impact
Claude, Codex, and Copilot sessions may send prompts, tool content, and traces to the local collector under `~/.agentlens`.
Mechanism
Runtime auto-configuration of foreign AI-agent settings and local telemetry/hooks.
Rationale
No concrete malicious payload or external exfiltration was confirmed. The automatic cross-agent configuration and hook installation at normal runtime create a material AI-agent lifecycle/privacy risk that warrants warning.
Evidence
package.jsonstandalone/server.jsstandalone/cli.jsscripts/agentlens-cli.jsscripts/configure-claude.shscripts/configure-codex.shscripts/configure-copilot.shscripts/configure-agents.shscripts/agentlens-supervise.jsscripts/agentlenspro-hook.jsscripts/agentlenspro-gate.jsscripts/spy-agentlens.mjsscripts/spy-agentlens-gate.mjsscripts/safe_config_edit.py
Network endpoints4
localhost:4318localhost:3000localhost:4316/mcp127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `standalone/server.js` calls `applyAutoConfig()` during server startup.
  • Default startup writes telemetry settings for Claude, Codex, and Copilot.
  • It installs a Claude Stop hook and enables prompt/tool-content telemetry to localhost.
  • `scripts/agentlens-cli.js` can install Claude hooks and copy a skill into `~/.claude/skills`.
  • No npm install/preinstall/postinstall lifecycle hook exists.
Evidence against
  • All confirmed telemetry endpoints are localhost (`127.0.0.1`, ports 4318/3000/4316).
  • No outbound HTTP request or external exfiltration endpoint was confirmed.
  • Child-process use starts the local server or opens the local dashboard.
  • `eval`/`Function` matches are bundled dependency validation code, not a package payload.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 3.28 MB of source, external domains: github.com, json-schema.org, opencode.ai, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

7 flagged · loading source
standalone/server.jsView file
154"goldeneye": { inputPerMTok: 1.25, cacheReadPerMTok: 0.125, cacheWritePerMTok: 0, outputPerMTok: 10, contextWindowTokens: 0, multiplier: 0, multiplierAnnualPostJun1: 0 }, L155: // ── OpenCode Zen https://opencode.ai/docs/zen/ ──────────────────────────── L156: // big-pickle: OpenCode's stealth model, free during limited evaluation period. ... L1355: // validation function arguments L1356: data: new codegen_1.Name("data"), L1357: // data passed to validation function ... L2382: id = normalizeId(id); L2383: return resolver.resolve(baseId, id); L2384: } ... L3245: for (i = 0; i < input.length; i++) { L3246: code = input[i].charCodeAt(0); L3247: if (code === 48) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

standalone/server.jsView on unpkg · L154
9250var os12 = __toESM(require("os")); L9251: var import_child_process4 = require("child_process"); L9252:
High
Child Process

Package source references child process execution.

standalone/server.jsView on unpkg · L9250
35927otlpServer.listen(OTLP_PORT, BIND_HOST, () => { L35928: console.log(`[AgentLens] OTLP receiver \u2192 http://localhost:${OTLP_PORT}`); L35929: }); ... L35940: console.log(`[AgentLens] MCP server \u2192 http://localhost:${MCP_PORT}/mcp`); L35941: if (process.env.AGENTLENS_OPEN_BROWSER === "1" || process.argv.includes("--open")) { L35942: const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "" "${url}"` : `xdg-open "${url}"`; L35943: (0, import_child_process4.exec)(cmd, (err) => { L35944: if (err) console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

standalone/server.jsView on unpkg · L35927
standalone/cli.jsView file
39Trigger-reachable chain: manifest.bin -> standalone/cli.js L39: if (cachedPythonBin) return cachedPythonBin; L40: const candidates = process.platform === "win32" ? ["python", "py", "python3"] : ["python3", "python"]; L41: for (const bin of candidates) { L42: try { L43: (0, import_child_process.execFileSync)(bin, ["--version"], { timeout: 5e3, stdio: "ignore" }); L44: cachedPythonBin = bin; ... L53: const candidates = [ L54: path.join(__dirname, "..", "scripts", "safe_config_edit.py"), L55: path.join(__dirname, "..", "..", "scripts", "safe_config_edit.py") ... L74: return new Promise((resolve2, reject) => { L75: const child = (0, import_child_process.execFile)(pythonBin(), args, { timeout: 6e4 }, (err, stdout, stderr) => { L76: if (err) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

standalone/cli.jsView on unpkg · L39
14516sourceCode = this.opts.code.process(sourceCode, sch); L14517: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L14518: const validate = makeValidate(this, this.scope.get());
High
Eval

Package source references dynamic code evaluation.

standalone/cli.jsView on unpkg · L14516
scripts/agentlens-supervise.jsView file
5Cross-file remote execution chain: scripts/agentlens-supervise.js spawns standalone/server.js; helper contains network access plus dynamic code execution. L5: * Keeps `standalone/server.js` alive: on any non-clean exit (a V8 OOM abort exits 134, a signal kill, L6: * etc.) it restarts the collector with EXPONENTIAL BACKOFF and appends the crash reason — exit code / L7: * signal, uptime, and the tail of the child's stderr — to `~/.agentlens/crash.log`. Before this, the ... L20: const path = require('path') L21: const { spawn } = require('child_process') L22: L23: const REPO = path.resolve(__dirname, '..') L24: const DATA_DIR = process.env.DATA_DIR || path.join(os.homedir(), '.agentlens') L25: const CRASH_LOG = path.join(DATA_DIR, 'crash.log') ... L39: try { fs.appendFileSync(CRASH_LOG, line) } catch { /* best effort */ } L40: process.stderr.write(`[supervisor] ${line}`) L41: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/agentlens-supervise.jsView on unpkg · L5
scripts/configure-codex.ps1View file
path = scripts/configure-codex.ps1 kind = build_helper sizeBytes = 1543 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/configure-codex.ps1View on unpkg

Findings

2 Critical5 High4 Medium5 Low
CriticalCredential Exfiltrationstandalone/server.js
CriticalTrigger Reachable Dangerous Capabilitystandalone/cli.js
HighChild Processstandalone/server.js
HighShell
HighEvalstandalone/cli.js
HighSame File Env Network Executionstandalone/server.js
HighCross File Remote Execution Contextscripts/agentlens-supervise.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/configure-codex.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings