registry  /  attribut  /  1.2.1

attribut@1.2.1

ATTRIBUT thin allowlist telemetry collector for AI coding agents (Claude Code, OpenAI Codex, Cursor, Google Antigravity) — extracts only safe, signal-bearing fields (never prompt/response/code/diff text) and POSTs them to ingest.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit setup installs ATTRIBUT-owned hooks into supported AI-agent configuration files and an optional hourly heartbeat timer. Invoked hooks read local session metadata, create local identifiers/state, and POST authenticated telemetry. No npm lifecycle-time mutation occurs.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `attribut install` or `attribut connect`; installed hooks and timer run afterward.
Impact
Persistent collection of bounded AI coding-session metadata and machine/device identifiers to the configured ingest service; setup changes agent configuration and user scheduler state.
Mechanism
User-authorized agent-hook telemetry collection with persistent heartbeat and conditional self-update.
Rationale
Source confirms explicit-user-command installation of first-party AI-agent hooks, persistent heartbeat scheduling, telemetry transmission, and conditional self-update. These are material lifecycle risks but do not meet the block threshold for unconsented install-time hijacking or concrete malicious behavior.
Evidence
package.jsonsrc/collector.cjssrc/install.cjssrc/timer.cjssrc/heartbeat.cjssrc/update.cjs~/.claude/settings.json~/.codex/config.toml~/.cursor/hooks.json~/.gemini/config/hooks.json~/.attribut/token~/.attribut/device_uuid~/.attribut/machine_id~/.attribut/state.json~/Library/LaunchAgents/ai.attribut.heartbeat.plist~/.config/systemd/user/attribut-heartbeat.service~/.config/systemd/user/attribut-heartbeat.timer
Network endpoints2
ingest.attribut.ai/v1/hookingest.attribut.ai/v1/heartbeat

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/install.cjs` explicitly installs hooks for Claude, Codex, Cursor, and Antigravity.
  • `src/timer.cjs` creates an hourly launchd/systemd/Task Scheduler heartbeat job after explicit connection.
  • `src/collector.cjs` reads local AI-agent session artifacts and posts telemetry with a bearer token.
  • `src/update.cjs` supports heartbeat-directed npm global self-updates when enabled.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Hook and timer setup require explicit `attribut install` or `attribut connect` commands.
  • `src/install.cjs` scopes mutations to package-owned hook entries and backs up configs.
  • `src/collector.cjs` defaults to `https://ingest.attribut.ai` and rejects non-HTTPS unless a testing override is set.
  • `src/contract/envelope.schema.json` constrains transmitted telemetry to bounded metadata rather than arbitrary files/content.
  • No eval, VM execution, remote payload loading, or hidden import-time execution was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 333 KB of source, external domains: attribut.ai, ingest.attribut.ai, registry.npmjs.org, www.apple.com

Source & flagged code

4 flagged · loading source
src/timer.cjsView file
30const path = require('path'); L31: const { execFileSync } = require('child_process'); L32:
High
Child Process

Package source references child process execution.

src/timer.cjsView on unpkg · L30
15// (~/.config/systemd/user/attribut-heartbeat.{service,timer}) L16: // Windows — a Task Scheduler task via `schtasks /create ... /sc hourly` L17: // ... L21: // `attribut connect` outright: the hooks are already live and doing the L22: // important work. Timer failures are logged to stderr and swallowed. L23: // ... L30: const path = require('path'); L31: const { execFileSync } = require('child_process'); L32: ... L39: function out(msg) { L40: process.stdout.write(`${msg}\n`); L41: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/timer.cjsView on unpkg · L15
src/update.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = attribut@1.0.1 matchedIdentity = npm:YXR0cmlidXQ:1.0.1 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/update.cjsView on unpkg
21// global install with a writable package dir. pnpm/bun/yarn/npx/source-checkout L22: // installs are never touched in the background (cross-manager `npm i -g` can L23: // duplicate or corrupt an install) — those get the interactive `attribut ... L32: const http = require('http'); L33: const { execFileSync } = require('child_process'); L34: const { URL } = require('url');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/update.cjsView on unpkg · L21

Findings

1 Critical2 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/update.cjs
HighChild Processsrc/timer.cjs
HighRuntime Package Installsrc/update.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/timer.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings