AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time behavior is present. The package intentionally deploys and operates a first-party autonomous coding-agent service after explicit user commands.
Static reason
No blocking static signals were detected.
Trigger
User runs `factory setup` and enables the Azure-hosted runtime.
Impact
A user-authorized deployment can modify assigned repositories and maintain package-owned runtime services.
Mechanism
Package-owned agent orchestration, workspace editing, container execution, and scheduled self-update.
Rationale
Not malicious: source inspection found no lifecycle hook, covert exfiltration, foreign control-surface mutation, or stealth payload execution. Warn because it intentionally provisions persistent first-party autonomous agent infrastructure with repository-modifying capability.
Evidence
package.jsonbin/factorybootstrap/setup.shbootstrap/auto-update.shsrc/agent-executor.jssrc/workspace-tools.jssrc/container-runner.jssrc/process.js
Network endpoints3
registry.npmjs.org/factory-ai/latestmanagement.azure.comapi.telegram.org
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/factory` explicit `setup` deploys Azure runtime.
- `bootstrap/setup.sh` installs package-owned systemd services/timers.
- `src/agent-executor.js` runs agent tasks against cloned workspaces.
- `src/workspace-tools.js` permits bounded workspace writes and allowlisted commands.
- `bootstrap/auto-update.sh` periodically updates the deployed runtime.
Evidence against
- `package.json` has no npm lifecycle hooks.
- No import-time execution beyond CLI/service entrypoints.
- `src/process.js` uses `spawn` with `shell: false`, timeouts, and output caps.
- `src/container-runner.js` uses read-only, dropped-capability containers.
- Workspace tools restrict paths and deny git push/remote/credential operations.
- No source evidence of credential exfiltration or covert external endpoint.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebootstrap/setup.shView file
•path = bootstrap/setup.sh
kind = build_helper
sizeBytes = 7881
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
bootstrap/setup.shView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbootstrap/setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings