registry  /  alimbo  /  0.2.9

alimbo@0.2.9

An AI agent gateway for tool orchestration, automation, and chat integrations.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `alimbo hook`, `alimbo claude`, `alimbo copilot`, or the interactive setup command.
Impact
Configured hook payloads may include AI-agent tool context and commands, enabling the selected interception service to approve or deny tool actions.
Mechanism
Explicit project-scoped AI-agent hook installation and remote interception
Rationale
No automatic lifecycle execution or concrete malware chain is present, but explicit project AI-agent control-surface mutation plus remote interception is a material capability requiring a warning. The shipped archives are inert source snapshots and are not loaded by reviewed code.
Evidence
package.jsondist/cli.jsdist/cli/hook.jsdist/cli/unhook.jsdist/setup.jsdist/hooks/scripts/_common.mjsdist/hooks/scripts/copilot/session-end.mjs.claude/settings.json.claude/scripts.github/hooks/alimbo-intercept.json.github/hooks/scripts.env~/.copilot/hooks/lifecycle-state.json
Network endpoints1
go.aigc4me.cloud

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli/hook.js` explicitly writes `.claude/settings.json` and `.github/hooks/alimbo-intercept.json` into the current project.
  • Copied hook scripts read tool input and send hook payloads to a configured intercept server through `requestGatewayHook`.
  • `dist/setup.js` defaults the cloud service URL to `https://go.aigc4me.cloud` and writes intercept settings into the user's `.env`.
  • `dist/hooks/scripts/copilot/session-end.mjs` can delete the named PM2 gateway when an opt-in environment flag is set.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Agent-control writes occur only through explicit CLI commands such as `alimbo hook`, `alimbo claude`, or `alimbo copilot`.
  • Hook installation is project-scoped and normally skips existing files unless `--force` is supplied.
  • No source evidence of hidden payload execution, credential harvesting, destructive broad filesystem behavior, or silent network execution on install.
  • Nested archives inventory as prior source snapshots; no executable loader references them.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 75 file(s), 679 KB of source, external domains: 0.0.0.0, 127.0.0.1, api.openai.com, appleid.apple.com, go.aigc4me.cloud, open.feishu.cn, open.larksuite.com

Source & flagged code

6 flagged · loading source
dist/bridge/feishu.jsView file
8import { buildFeishuReplyPayload } from "./reply-format.js"; L9: process.title = process.env.PROCESS_TITLE || "alimbo-feishu"; L10: const ATTACHMENT_LISTEN_WINDOW_MS = 5 * 60 * 1000; ... L34: try { L35: const parsed = JSON.parse(rawContent); L36: if (messageType === "text") { ... L73: const normalized = String(domain ?? "").trim().toLowerCase(); L74: return normalized === "lark" ? "https://open.larksuite.com" : "https://open.feishu.cn"; L75: } ... L125: headers: { "Content-Type": "application/json" }, L126: body: JSON.stringify({ app_id: feishuCfg.appId, app_secret: feishuCfg.appSecret }), L127: });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bridge/feishu.jsView on unpkg · L8
dist/hooks/agentwatch/.claude/permrequest-hook.shView file
path = dist/hooks/agentwatch/.claude/permrequest-hook.sh kind = payload_in_excluded_dir sizeBytes = 6416 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

dist/hooks/agentwatch/.claude/permrequest-hook.shView on unpkg
path = dist/hooks/agentwatch/.claude/permrequest-hook.sh kind = build_helper sizeBytes = 6416 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/hooks/agentwatch/.claude/permrequest-hook.shView on unpkg
dist/myclaw-v0.2.0-source.tar.gzView file
path = dist/myclaw-v0.2.0-source.tar.gz kind = high_entropy_blob sizeBytes = 38485 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/myclaw-v0.2.0-source.tar.gzView on unpkg
path = dist/myclaw-v0.2.0-source.tar.gz kind = compressed_blob sizeBytes = 38485 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/myclaw-v0.2.0-source.tar.gzView on unpkg
dist/alimbo-v0.2.2-source.zipView file
path = dist/alimbo-v0.2.2-source.zip kind = nested_archive_needs_inspection sizeBytes = 176240 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/alimbo-v0.2.2-source.zipView on unpkg

Findings

2 High5 Medium7 Low
HighShips High Entropy Blobdist/myclaw-v0.2.0-source.tar.gz
HighPayload In Excluded Dirdist/hooks/agentwatch/.claude/permrequest-hook.sh
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/hooks/agentwatch/.claude/permrequest-hook.sh
MediumShips Compressed Blobdist/myclaw-v0.2.0-source.tar.gz
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/bridge/feishu.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/alimbo-v0.2.2-source.zip
LowNo License