registry  /  agentlenspro  /  2.6.0

agentlenspro@2.6.0

AgentlensPro — professional observability for AI agent sessions: OTEL traces and local log file ingestion, CLI + server + skills. Standalone (npx) and Docker.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Starting the server can automatically alter AI-agent telemetry settings and register a Claude stop hook. The configured exporters target the package's local receiver, not a remote host.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `agentlenspro` or starts its server.
Impact
Prompts and tool details may be captured into local AgentLens storage after agent restart.
Mechanism
Automatic local AI-agent telemetry and hook configuration.
Rationale
No concrete malicious chain is established. Downgrade to warn because default server startup performs non-install-time configuration of multiple AI-agent control surfaces and enables detailed local telemetry capture.
Evidence
package.jsonstandalone/cli.jsstandalone/server.jsscripts/safe_config_edit.pyREADME.md~/.claude/settings.json~/.codex/config.toml~/.agentlens/telemetry-managed.json
Network endpoints3
localhost:4318localhost:4316/mcplocalhost:3000

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `standalone/server.js` auto-runs telemetry configuration when its server starts.
  • It edits `~/.claude/settings.json`, `~/.codex/config.toml`, and detected VS Code Copilot settings.
  • Configured telemetry enables prompt/tool-content logging and points OTLP at localhost.
  • `standalone/cli.js` exposes explicit setup, telemetry, hook, and daemon commands.
Evidence against
  • `package.json` has no npm install, postinstall, or preinstall hook; only `prepublishOnly`.
  • Network implementation uses local HTTP listeners and localhost endpoints; no external exfiltration host was found.
  • Child-process use launches the bundled server or safe local Python config editor, not shell payloads.
  • Config editor validates scoped operations, backs up files, and rejects unrelated changes.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 1.98 MB of source, external domains: 127.0.0.1, github.com, json-schema.org, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

7 flagged · loading source
standalone/server.jsView file
164"goldeneye": { inputPerMTok: 1.25, cacheReadPerMTok: 0.125, cacheWritePerMTok: 0, outputPerMTok: 10, contextWindowTokens: 0, multiplier: 0, multiplierAnnualPostJun1: 0 }, L165: // ── OpenCode Zen https://opencode.ai/docs/zen/ ──────────────────────────── L166: // big-pickle: OpenCode's stealth model, free during limited evaluation period. ... L1365: // validation function arguments L1366: data: new codegen_1.Name("data"), L1367: // data passed to validation function ... L2392: id = normalizeId(id); L2393: return resolver.resolve(baseId, id); L2394: } ... L3255: for (i = 0; i < input.length; i++) { L3256: code = input[i].charCodeAt(0); L3257: if (code === 48) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

standalone/server.jsView on unpkg · L164
164Trigger-reachable chain: manifest.bin -> standalone/cli.js -> standalone/server.js L164: "goldeneye": { inputPerMTok: 1.25, cacheReadPerMTok: 0.125, cacheWritePerMTok: 0, outputPerMTok: 10, contextWindowTokens: 0, multiplier: 0, multiplierAnnualPostJun1: 0 }, L165: // ── OpenCode Zen https://opencode.ai/docs/zen/ ──────────────────────────── L166: // big-pickle: OpenCode's stealth model, free during limited evaluation period. ... L1365: // validation function arguments L1366: data: new codegen_1.Name("data"), L1367: // data passed to validation function ... L2392: id = normalizeId(id); L2393: return resolver.resolve(baseId, id); L2394: } ... L3255: for (i = 0; i < input.length; i++) { L3256: code = input[i].charCodeAt(0); L3257: if (code === 48) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

standalone/server.jsView on unpkg · L164
9260var os15 = __toESM(require("os")); L9261: var import_child_process4 = require("child_process"); L9262:
High
Child Process

Package source references child process execution.

standalone/server.jsView on unpkg · L9260
37261otlpServer.listen(OTLP_PORT, BIND_HOST, () => { L37262: console.log(`[AgentLens] OTLP receiver \u2192 http://localhost:${OTLP_PORT}`); L37263: }); ... L37274: console.log(`[AgentLens] MCP server \u2192 http://localhost:${MCP_PORT}/mcp`); L37275: if (process.env.AGENTLENS_OPEN_BROWSER === "1" || process.argv.includes("--open")) { L37276: const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "" "${url}"` : `xdg-open "${url}"`; L37277: (0, import_child_process4.exec)(cmd, (err) => { L37278: if (err) console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

standalone/server.jsView on unpkg · L37261
3081sourceCode = this.opts.code.process(sourceCode, sch); L3082: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L3083: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

standalone/server.jsView on unpkg · L3081
standalone/cli.jsView file
50Cross-file remote execution chain: standalone/cli.js spawns standalone/server.js; helper contains network access plus dynamic code execution. L50: // src/safeConfigEdit.ts L51: var import_child_process = require("child_process"); L52: var path = __toESM(require("path")); L53: var SafeEditError = class extends Error { L54: constructor(message, exitCode) { L55: super(message); ... L63: if (cachedPythonBin) return cachedPythonBin; L64: const candidates = process.platform === "win32" ? ["python", "py", "python3"] : ["python3", "python"]; L65: for (const bin of candidates) { ... L77: const candidates = [ L78: path.join(__dirname, "..", "scripts", "safe_config_edit.py"), L79: path.join(__dirname, "..", "..", "scripts", "safe_config_edit.py")
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

standalone/cli.jsView on unpkg · L50
scripts/safe_config_edit.pyView file
path = scripts/safe_config_edit.py kind = build_helper sizeBytes = 21359 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/safe_config_edit.pyView on unpkg

Findings

2 Critical4 High4 Medium6 Low
CriticalCredential Exfiltrationstandalone/server.js
CriticalTrigger Reachable Dangerous Capabilitystandalone/server.js
HighChild Processstandalone/server.js
HighShell
HighSame File Env Network Executionstandalone/server.js
HighCross File Remote Execution Contextstandalone/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/safe_config_edit.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalstandalone/server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings