AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs CLI commands such as `bp-code login`, `bp-code skill install`, `bp-code page create`, or API subcommands.
Impact
Can write local BytePlan config/credentials, archive selected project files, or copy bundled skills to Claude's skills directory when explicitly requested.
Mechanism
User-invoked BytePlan API client and bundled skill copier
Rationale
Static inspection shows a legitimate BytePlan CLI with user-invoked API, credential, archive, and skill-management behavior, with no automatic lifecycle mutation or exfiltration chain. Because it can explicitly mutate an AI-agent skill directory, warn rather than block.
Evidence
package.jsonsrc/cli.jssrc/api/core.jssrc/api/auth.jssrc/commands/skill.jssrc/archive.jsskills/web-api-capture/scripts/capture.pyskills/web-api-capture/scripts/inpage_hook.js~/.byteplan.byteplan/.env.byteplan/.env.<env>~/.byteplan/pages/<pageId>/<tagId>~/.claude/skills/<skill>/tmp/api_capture
Network endpoints4
dev.byteplan.comuatapp.byteplan.combyteplan.51fubei.comgrafana.ops.byteplan.com
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/commands/skill.js explicit `bp-code skill install/remove` copies/removes bundled skills under default `~/.claude/skills`.
- src/api/core.js creates `~/.byteplan` at module import and loads `~/.byteplan/.env` when present.
- src/api/auth.js stores BytePlan credentials and tokens in `~/.byteplan/.env` and `~/.byteplan/.env.<env>` after user login.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks; only CLI bins and main export are declared.
- Network calls in src/api/*.js target BytePlan/Grafana service endpoints used by CLI commands, not arbitrary exfiltration hosts.
- No eval/vm/Function, native binary loading, hidden downloader, or remote code execution path found.
- AI-agent skill directory mutation is behind explicit `bp-code skill install/remove` commands, not automatic install-time behavior.
- skills/web-api-capture/scripts/capture.py writes capture output to user-selected/default `/tmp/api_capture` for documented browser-use workflow.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceskills/web-api-capture/scripts/capture.pyView file
•path = skills/web-api-capture/scripts/capture.py
kind = build_helper
sizeBytes = 4463
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
skills/web-api-capture/scripts/capture.pyView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperskills/web-api-capture/scripts/capture.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings