AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `decispher init`; later Claude Code, Cursor, git checkout, or statusline hooks execute.
Impact
Project prompts, commands, and edit-derived context may leave the machine after source redaction; setup mutates project AI-agent configuration.
Mechanism
User-invoked agent-hook installation and session-event telemetry upload.
Rationale
This is not malicious under the install-control policy because configuration mutation is explicit-user-command setup, not npm lifecycle behavior. It merits a warning because it installs broad AI-agent hooks/instructions and exports session telemetry.
Evidence
package.jsonbin/decispher.jsdist/commands/init.jsdist/lib/agent-shell-tools.jsdist/lib/claude-settings.jstemplates/decispher-hook.mjs.decispher/recorder.json.decispher/hooks/decispher-hook.mjs.decispher/.session/buffer.jsonl~/.decispher/credentials.json.git/hooks/post-checkout.claude/settings.json.cursor/hooks.json.cursor/rules/decispher.mdcCLAUDE.mdAGENTS.md.gitignore
Network endpoints1
api.decispher.com/api/sessions/events
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `decispher init` writes Claude/Cursor hooks and inserts blocks into `CLAUDE.md` and `AGENTS.md`.
- Installed hook captures redacted prompts, terminal commands, edits, and session events, then POSTs them with an API key.
- Hook persists unsent event batches under `.decispher/.session/buffer.jsonl`.
Evidence against
- `package.json` has only `prepublishOnly`; npm install/import does not run setup.
- All agent-control writes require explicit `decispher init` in a Git repository.
- `templates/decispher-hook.mjs` excludes credential paths and redacts common secrets before buffering/transmission.
- No shell-evaluated remote payload, `eval`, dynamic code loading, or destructive behavior found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcetemplates/decispher-hook.mjsView file
21L22: import { spawnSync } from 'node:child_process';
L23: import { createHash } from 'node:crypto';
...
L46: const SECRET_PATTERNS = [
L47: { name: 'pem_block', regex: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g },
L48: { name: 'aws_access_key', regex: /\b(?:AKIA|ASIA|ABIA|ACCA)[0-9A-Z]{16}\b/g },
...
L96: const res = spawnSync('git', args, { cwd, encoding: 'utf8', timeout: GIT_TIMEOUT_MS });
L97: if (res.status !== 0 || typeof res.stdout !== 'string') return null;
L98: return res.stdout.trim() || null;
...
L115: function loadApiKey(apiUrl) {
L116: if (process.env.DECISPHER_API_KEY) return process.env.DECISPHER_API_KEY;
L117: try {
Low
Weak Crypto
Package source references weak cryptographic algorithms.
templates/decispher-hook.mjsView on unpkg · L21Findings
1 Medium7 Low
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptotemplates/decispher-hook.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License