registry  /  agentlenspro  /  2.1.0

agentlenspro@2.1.0

AgentlensPro — professional observability for AI agent sessions: OTEL traces and local log file ingestion, CLI + server + skills. Standalone (npx) and Docker.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Starting the server automatically modifies supported AI-agent telemetry configuration, directing telemetry to a local receiver. Explicit `setup` additionally installs package-owned hooks/skills. No install-time execution or outbound exfiltration endpoint was confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Run `agentlenspro` with no command, or start its server; `setup` is an explicit user command.
Impact
May collect prompts, tool details, and agent telemetry locally after runtime configuration changes.
Mechanism
Local AI-agent telemetry configuration, hook setup, log ingestion, and localhost HTTP services.
Rationale
Not malicious under the install-control policy because no lifecycle hook mutates a foreign agent surface and observed traffic is local. Warn because server startup—not only explicit setup—automatically changes third-party AI-agent configuration and enables collection of sensitive agent telemetry.
Evidence
package.jsonstandalone/cli.jsstandalone/server.jsscripts/safe_config_edit.pyREADME.md~/.claude/settings.json~/.codex/config.toml~/.agentlens
Network endpoints2
localhost:4318127.0.0.1:4318

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `standalone/server.js` runs `applyAutoConfig()` when the server starts.
  • Auto-configuration writes Claude, Codex, and Copilot telemetry settings pointing to local OTLP.
  • `standalone/cli.js` setup installs AgentLens hooks and a skill through explicit `setup`.
  • Runtime reads AI-agent logs/configuration and persists collected telemetry under `~/.agentlens`.
Evidence against
  • `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook.
  • `standalone/server.js` binds UI, OTLP, and MCP services to `127.0.0.1` by default.
  • Observed telemetry endpoints are localhost-only; no outbound credential-exfiltration host was found.
  • `scripts/safe_config_edit.py` limits config writes to declared paths and verifies diffs/backups.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 1.88 MB of source, external domains: 127.0.0.1, github.com, json-schema.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

7 flagged · loading source
standalone/server.jsView file
154"goldeneye": { inputPerMTok: 1.25, cacheReadPerMTok: 0.125, cacheWritePerMTok: 0, outputPerMTok: 10, contextWindowTokens: 0, multiplier: 0, multiplierAnnualPostJun1: 0 }, L155: // ── OpenCode Zen https://opencode.ai/docs/zen/ ──────────────────────────── L156: // big-pickle: OpenCode's stealth model, free during limited evaluation period. ... L1355: // validation function arguments L1356: data: new codegen_1.Name("data"), L1357: // data passed to validation function ... L2382: id = normalizeId(id); L2383: return resolver.resolve(baseId, id); L2384: } ... L3245: for (i = 0; i < input.length; i++) { L3246: code = input[i].charCodeAt(0); L3247: if (code === 48) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

standalone/server.jsView on unpkg · L154
154Trigger-reachable chain: manifest.bin -> standalone/cli.js -> standalone/server.js L154: "goldeneye": { inputPerMTok: 1.25, cacheReadPerMTok: 0.125, cacheWritePerMTok: 0, outputPerMTok: 10, contextWindowTokens: 0, multiplier: 0, multiplierAnnualPostJun1: 0 }, L155: // ── OpenCode Zen https://opencode.ai/docs/zen/ ──────────────────────────── L156: // big-pickle: OpenCode's stealth model, free during limited evaluation period. ... L1355: // validation function arguments L1356: data: new codegen_1.Name("data"), L1357: // data passed to validation function ... L2382: id = normalizeId(id); L2383: return resolver.resolve(baseId, id); L2384: } ... L3245: for (i = 0; i < input.length; i++) { L3246: code = input[i].charCodeAt(0); L3247: if (code === 48) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

standalone/server.jsView on unpkg · L154
9250var os12 = __toESM(require("os")); L9251: var import_child_process4 = require("child_process"); L9252:
High
Child Process

Package source references child process execution.

standalone/server.jsView on unpkg · L9250
36239otlpServer.listen(OTLP_PORT, BIND_HOST, () => { L36240: console.log(`[AgentLens] OTLP receiver \u2192 http://localhost:${OTLP_PORT}`); L36241: }); ... L36252: console.log(`[AgentLens] MCP server \u2192 http://localhost:${MCP_PORT}/mcp`); L36253: if (process.env.AGENTLENS_OPEN_BROWSER === "1" || process.argv.includes("--open")) { L36254: const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "" "${url}"` : `xdg-open "${url}"`; L36255: (0, import_child_process4.exec)(cmd, (err) => { L36256: if (err) console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

standalone/server.jsView on unpkg · L36239
3071sourceCode = this.opts.code.process(sourceCode, sch); L3072: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L3073: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

standalone/server.jsView on unpkg · L3071
standalone/cli.jsView file
45Cross-file remote execution chain: standalone/cli.js spawns standalone/server.js; helper contains network access plus dynamic code execution. L45: // src/safeConfigEdit.ts L46: var import_child_process = require("child_process"); L47: var path = __toESM(require("path")); L48: var SafeEditError = class extends Error { L49: constructor(message, exitCode) { L50: super(message); ... L58: if (cachedPythonBin) return cachedPythonBin; L59: const candidates = process.platform === "win32" ? ["python", "py", "python3"] : ["python3", "python"]; L60: for (const bin of candidates) { ... L72: const candidates = [ L73: path.join(__dirname, "..", "scripts", "safe_config_edit.py"), L74: path.join(__dirname, "..", "..", "scripts", "safe_config_edit.py")
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

standalone/cli.jsView on unpkg · L45
scripts/safe_config_edit.pyView file
path = scripts/safe_config_edit.py kind = build_helper sizeBytes = 21359 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/safe_config_edit.pyView on unpkg

Findings

2 Critical4 High4 Medium6 Low
CriticalCredential Exfiltrationstandalone/server.js
CriticalTrigger Reachable Dangerous Capabilitystandalone/server.js
HighChild Processstandalone/server.js
HighShell
HighSame File Env Network Executionstandalone/server.js
HighCross File Remote Execution Contextstandalone/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/safe_config_edit.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalstandalone/server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings