registry  /  agentlenspro  /  1.0.1

agentlenspro@1.0.1

AgentlensPro — professional observability for AI agent sessions: OTEL traces and local log file ingestion, CLI + server + skills. Standalone (npx) and Docker.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Running the server automatically enables local telemetry for Codex and detected VS Code Copilot settings. An explicit CLI option installs Claude lifecycle hooks that forward event data to the local server. No external exfiltration endpoint was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the `agentlenspro` server bin; hooks require explicit `agentlenspro-cli --install-hooks`.
Impact
Changes user AI-agent configuration and can collect prompts, tool details, and raw API bodies into `~/.agentlens` for local observability.
Mechanism
Local AI-agent telemetry configuration, log capture, and loopback hook forwarding.
Rationale
Warn because server startup mutates first-party AI-agent configuration and enables high-sensitivity local telemetry capture without a separate setup flag. It is not malicious under the stated boundary because mutation is runtime/user-invoked, package-aligned, and loopback-only.
Evidence
package.jsonstandalone/server.jsscripts/agentlens-cli.jsscripts/agentlenspro-hook.jsscripts/agentlenspro-gate.jsscripts/spy-agentlens.mjs~/.codex/config.toml~/.claude/settings.json~/.agentlens/telemetry-managed.json~/.agentlens/otel-bodiesscripts/spy-agentlens-gate.mjs
Network endpoints3
localhost:3000localhost:4318localhost:4316/mcp

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `standalone/server.js` calls `applyAutoConfig()` at server startup.
  • Startup edits `~/.codex/config.toml` and VS Code Copilot settings to enable OTLP.
  • `agentlenspro-cli --install-hooks` writes Claude hook registrations.
  • Hooks forward stdin telemetry to the local dashboard endpoint.
Evidence against
  • `package.json` has only `prepublishOnly`; no install lifecycle hook.
  • Observed runtime endpoints are loopback-only (`localhost`).
  • No external host or credential-exfiltration request found.
  • Config and hooks are package-aligned observability setup, with explicit hook installation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 3.30 MB of source, external domains: github.com, json-schema.org, opencode.ai, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

7 flagged · loading source
standalone/server.jsView file
154"goldeneye": { inputPerMTok: 1.25, cacheReadPerMTok: 0.125, cacheWritePerMTok: 0, outputPerMTok: 10, contextWindowTokens: 0, multiplier: 0, multiplierAnnualPostJun1: 0 }, L155: // ── OpenCode Zen https://opencode.ai/docs/zen/ ──────────────────────────── L156: // big-pickle: OpenCode's stealth model, free during limited evaluation period. ... L1355: // validation function arguments L1356: data: new codegen_1.Name("data"), L1357: // data passed to validation function ... L2382: id = normalizeId(id); L2383: return resolver.resolve(baseId, id); L2384: } ... L3245: for (i = 0; i < input.length; i++) { L3246: code = input[i].charCodeAt(0); L3247: if (code === 48) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

standalone/server.jsView on unpkg · L154
9250var os12 = __toESM(require("os")); L9251: var import_child_process4 = require("child_process"); L9252:
High
Child Process

Package source references child process execution.

standalone/server.jsView on unpkg · L9250
36119otlpServer.listen(OTLP_PORT, BIND_HOST, () => { L36120: console.log(`[AgentLens] OTLP receiver \u2192 http://localhost:${OTLP_PORT}`); L36121: }); ... L36132: console.log(`[AgentLens] MCP server \u2192 http://localhost:${MCP_PORT}/mcp`); L36133: if (process.env.AGENTLENS_OPEN_BROWSER === "1" || process.argv.includes("--open")) { L36134: const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "" "${url}"` : `xdg-open "${url}"`; L36135: (0, import_child_process4.exec)(cmd, (err) => { L36136: if (err) console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

standalone/server.jsView on unpkg · L36119
standalone/cli.jsView file
39Trigger-reachable chain: manifest.bin -> standalone/cli.js L39: if (cachedPythonBin) return cachedPythonBin; L40: const candidates = process.platform === "win32" ? ["python", "py", "python3"] : ["python3", "python"]; L41: for (const bin of candidates) { L42: try { L43: (0, import_child_process.execFileSync)(bin, ["--version"], { timeout: 5e3, stdio: "ignore" }); L44: cachedPythonBin = bin; ... L53: const candidates = [ L54: path.join(__dirname, "..", "scripts", "safe_config_edit.py"), L55: path.join(__dirname, "..", "..", "scripts", "safe_config_edit.py") ... L74: return new Promise((resolve2, reject) => { L75: const child = (0, import_child_process.execFile)(pythonBin(), args, { timeout: 6e4 }, (err, stdout, stderr) => { L76: if (err) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

standalone/cli.jsView on unpkg · L39
14516sourceCode = this.opts.code.process(sourceCode, sch); L14517: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L14518: const validate = makeValidate(this, this.scope.get());
High
Eval

Package source references dynamic code evaluation.

standalone/cli.jsView on unpkg · L14516
scripts/agentlens-supervise.jsView file
5Cross-file remote execution chain: scripts/agentlens-supervise.js spawns standalone/server.js; helper contains network access plus dynamic code execution. L5: * Keeps `standalone/server.js` alive: on any non-clean exit (a V8 OOM abort exits 134, a signal kill, L6: * etc.) it restarts the collector with EXPONENTIAL BACKOFF and appends the crash reason — exit code / L7: * signal, uptime, and the tail of the child's stderr — to `~/.agentlens/crash.log`. Before this, the ... L20: const path = require('path') L21: const { spawn } = require('child_process') L22: L23: const REPO = path.resolve(__dirname, '..') L24: const DATA_DIR = process.env.DATA_DIR || path.join(os.homedir(), '.agentlens') L25: const CRASH_LOG = path.join(DATA_DIR, 'crash.log') ... L39: try { fs.appendFileSync(CRASH_LOG, line) } catch { /* best effort */ } L40: process.stderr.write(`[supervisor] ${line}`) L41: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/agentlens-supervise.jsView on unpkg · L5
scripts/configure-codex.ps1View file
path = scripts/configure-codex.ps1 kind = build_helper sizeBytes = 1543 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/configure-codex.ps1View on unpkg

Findings

2 Critical5 High4 Medium5 Low
CriticalCredential Exfiltrationstandalone/server.js
CriticalTrigger Reachable Dangerous Capabilitystandalone/cli.js
HighChild Processstandalone/server.js
HighShell
HighEvalstandalone/cli.js
HighSame File Env Network Executionstandalone/server.js
HighCross File Remote Execution Contextscripts/agentlens-supervise.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/configure-codex.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings