registry  /  attribut  /  1.2.2

attribut@1.2.2

ATTRIBUT thin allowlist telemetry collector for AI coding agents (Claude Code, OpenAI Codex, Cursor, Google Antigravity) — extracts only safe, signal-bearing fields (never prompt/response/code/diff text) and POSTs them to ingest.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI setup installs package-owned hooks into four AI coding-agent configurations and creates a recurring heartbeat. Hooks parse local session metadata and transmit authenticated telemetry; the heartbeat can apply a server-pinned npm package update.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `attribut install` or `attribut connect`; configured hooks and hourly timer run afterward.
Impact
Persistent collection of bounded AI-session metadata and remote package-version changes on qualifying global installs.
Mechanism
AI-agent hook registration, telemetry upload, scheduler persistence, and guarded self-update.
Rationale
Source inspection confirms a user-invoked AI-agent extension and scheduler lifecycle with telemetry and remote self-update capability. No install-time lifecycle execution or covert malicious chain was found, so this warrants a warning rather than a block.
Evidence
package.jsonsrc/collector.cjssrc/install.cjssrc/connect.cjssrc/timer.cjssrc/update.cjs~/.claude/settings.json~/.codex/config.toml~/.cursor/hooks.json~/.gemini/config/hooks.json~/.attribut/token*~/.attribut/state.json~/Library/LaunchAgents/ai.attribut.heartbeat.plist~/.config/systemd/user/attribut-heartbeat.service~/.config/systemd/user/attribut-heartbeat.timer
Network endpoints2
ingest.attribut.ai/v1/hookregistry.npmjs.org/attribut/latest

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/install.cjs` explicitly writes command hooks into Claude, Codex, Cursor, and Antigravity user configs.
  • `src/connect.cjs` invokes hook registration and creates an hourly OS timer after user-run `attribut connect`.
  • `src/timer.cjs` persists launchd, systemd-user, or Windows scheduled-task heartbeat execution.
  • `src/collector.cjs` reads local AI-session artifacts and POSTs telemetry with a stored bearer token to `https://ingest.attribut.ai/v1/hook`.
  • `src/update.cjs` can run `npm install -g attribut@<server-pinned-version>` from a heartbeat-directed update response.
Evidence against
  • `package.json` has no npm preinstall, install, postinstall, or prepare lifecycle hook.
  • Hook/config changes occur through explicit `attribut install` or `attribut connect`, not package installation.
  • `src/collector.cjs` validates a bounded envelope and uses HTTPS by default.
  • No eval, VM execution, arbitrary shell construction, credential harvesting, destructive deletion, or unrelated endpoint was found.
  • Scheduler entries execute the package's own `heartbeat` command and have matching removal paths.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 336 KB of source, external domains: attribut.ai, ingest.attribut.ai, registry.npmjs.org, www.apple.com

Source & flagged code

4 flagged · loading source
src/timer.cjsView file
30const path = require('path'); L31: const { execFileSync } = require('child_process'); L32:
High
Child Process

Package source references child process execution.

src/timer.cjsView on unpkg · L30
15// (~/.config/systemd/user/attribut-heartbeat.{service,timer}) L16: // Windows — a Task Scheduler task via `schtasks /create ... /sc hourly` L17: // ... L21: // `attribut connect` outright: the hooks are already live and doing the L22: // important work. Timer failures are logged to stderr and swallowed. L23: // ... L30: const path = require('path'); L31: const { execFileSync } = require('child_process'); L32: ... L39: function out(msg) { L40: process.stdout.write(`${msg}\n`); L41: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/timer.cjsView on unpkg · L15
src/update.cjsView file
21// global install with a writable package dir. pnpm/bun/yarn/npx/source-checkout L22: // installs are never touched in the background (cross-manager `npm i -g` can L23: // duplicate or corrupt an install) — those get the interactive `attribut ... L32: const http = require('http'); L33: const { execFileSync } = require('child_process'); L34: const { URL } = require('url');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/update.cjsView on unpkg · L21
src/backfill.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = attribut@1.2.1 matchedIdentity = npm:YXR0cmlidXQ:1.2.1 similarity = 0.920 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/backfill.cjsView on unpkg

Findings

1 Critical2 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/backfill.cjs
HighChild Processsrc/timer.cjs
HighRuntime Package Installsrc/update.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/timer.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings