AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs bp-code skill install/remove or bp-code login/API subcommands.
Impact
Can add/remove bundled agent skills under the configured Claude skills directory; login saves BytePlan credentials locally and sends them to BytePlan endpoints.
Mechanism
User-invoked Claude skills installation and BytePlan API client operations.
Rationale
Static inspection found no unconsented install-time mutation, exfiltration, destructive payload, or remote code execution. Because the package includes explicit user-command mutation of Claude skills, it should warn rather than block.
Evidence
package.jsonsrc/cli.jssrc/commands/skill.jssrc/api/auth.jssrc/api/core.jssrc/archive.jsskills/web-api-capture/scripts/capture.py~/.claude/skills~/.byteplan/.env~/.byteplan/pages/<pageId>/<tagId>
Network endpoints4
dev.byteplan.comuatapp.byteplan.combyteplan.51fubei.comgrafana.ops.byteplan.com
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/commands/skill.js explicitly installs bundled skills into default ~/.claude/skills via symlinkSync/cpSync on user command.
- src/commands/skill.js remove can rmSync entries under the selected skills target.
- src/api/auth.js stores BP_USER/BP_PASSWORD/access tokens in ~/.byteplan/.env after login.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- src/cli.js only registers commander subcommands; no install-time execution.
- Network calls are to BytePlan/Grafana service endpoints used by CLI commands, not hidden exfil endpoints.
- No obfuscated payload, eval/Function, dynamic remote code loading, or credential harvesting beyond user-invoked BytePlan login.
- skills/web-api-capture/scripts/capture.py is a documented helper run via browser-use, not invoked automatically.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceskills/web-api-capture/scripts/capture.pyView file
•path = skills/web-api-capture/scripts/capture.py
kind = build_helper
sizeBytes = 4463
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
skills/web-api-capture/scripts/capture.pyView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperskills/web-api-capture/scripts/capture.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings