AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
Configured owner sends bot commands after explicit `conductor-telegram start`; persistence and Claude plugin setup require explicit CLI/setup actions.
Impact
Compromise of the configured Telegram owner account or bot token could enable high-privilege agent actions in configured local workspaces.
Mechanism
Authenticated Telegram-to-local AI-agent launcher with optional macOS service and Claude MCP registration.
Rationale
Direct source inspection found no malicious install hook, covert exfiltration, or foreign AI-agent control-surface mutation. Its authenticated remote agent launcher with default permission bypass is a concrete dangerous capability that warrants warning rather than a publish block.
Evidence
package.jsondist/chunk-PXMTG2N3.jsdist/bot/index.jsdist/chunk-ZYKM4257.jsdist/cli/service.jsdist/setup-VCYYS5BU.js~/.conductor-telegram/config.json~/.conductor-telegram/downloads~/.claude/plugins/conductor-telegram-mcp/.claude-plugin/plugin.json~/.claude/plugins/conductor-telegram-mcp/.mcp.json~/Library/LaunchAgents/net.belong.conductor-telegram.plist~/Library/LaunchAgents/net.belong.conductor-telegram.watchdog.plist
Network endpoints1
api.telegram.org
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/chunk-PXMTG2N3.js` defaults agent permission mode to `bypassPermissions`.
- `dist/bot/index.js` launches local Claude/Codex agents from Telegram-supplied prompts.
- `dist/bot/index.js` downloads Telegram attachments and stages them into agent workspaces.
- `dist/chunk-ZYKM4257.js` can register a Claude Code MCP plugin that launches this package's server.
- `dist/cli/service.js` can install a persistent macOS LaunchAgent, but only through `service install`.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `dist/bot/index.js` rejects Telegram requests unless chat/user matches configured owner values.
- `dist/setup-VCYYS5BU.js` asks before saving configuration and before MCP-plugin installation.
- Observed network use is Telegram API communication required for the stated bot function.
- No credential harvesting, unrelated exfiltration, remote payload loading, or obfuscated execution was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/cli/service.jsView file
1// src/cli/service.ts
L2: import { spawnSync } from "child_process";
L3: import fs from "fs";
...
L8: var WATCHDOG_LABEL = "net.belong.conductor-telegram.watchdog";
L9: var STATE_DIR = path.join(os.homedir(), ".conductor-telegram");
L10: var LAUNCH_AGENTS_DIR = path.join(os.homedir(), "Library", "LaunchAgents");
...
L28: }
L29: function launchctl(args) {
L30: const result = spawnSync("launchctl", args, { encoding: "utf8" });
...
L32: code: result.status ?? -1,
L33: stdout: result.stdout ?? "",
L34: stderr: result.stderr ?? ""
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/cli/service.jsView on unpkg · L1Findings
3 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/service.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings