AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `factory setup` or the packaged deployment scripts; runtime services then process authorized objectives.
Impact
Can modify assigned repositories, create PRs, and update its own deployed runtime; no unconsented package-install mutation or exfiltration was found.
Mechanism
User-deployed persistent AI-agent orchestration with verified self-update and GitHub/Azure access.
Rationale
Source inspection found a transparent, explicitly deployed autonomous coding-agent platform rather than malicious npm install behavior. Its persistent self-update and repository-modification capability warrant a warning for operational risk, not a publication block.
Evidence
package.jsonbootstrap/setup.shbootstrap/auto-update.shsrc/workspace-tools.jssrc/release.jssrc/telegram-service.jsbin/factorybootstrap/deploy-runtime.shbootstrap/factory-ai-update.servicebootstrap/factory-ai-update.timersrc/process.jssrc/worker.jssrc/updater.jssrc/container-runner.jssrc/agent-runner.jsconfig/capabilities.json
Network endpoints7
registry.npmjs.org/factory-ai/latestapi.telegram.orgapi.ipify.orgmanagement.azure.com${env.KEY_VAULT_NAME}.vault.azure.net${storageAccount}.blob.core.windows.netgithub.com/${command.repository}.git
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bootstrap/setup.sh` installs root-owned systemd services and timers.
- `bootstrap/auto-update.sh` periodically fetches and deploys newer upstream code.
- `src/worker.js` loads cloud/GitHub credentials and executes agent workloads.
- `src/workspace-tools.js` permits an agent limited workspace writes and allowlisted commands.
- `src/release.js` can create PRs and enable repository auto-merge when policy/checks permit.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Persistence is reached through explicit deployment scripts, not package installation.
- `src/process.js` uses argument arrays with `shell: false`.
- `src/workspace-tools.js` restricts paths, blocks symlink writes, disables inherited secrets, and denies git push/remote.
- `src/telegram-service.js` rejects messages outside an explicit chat-ID allowlist.
- No source evidence of credential exfiltration, hidden payload retrieval, or foreign AI-agent configuration writes.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebootstrap/setup.shView file
•path = bootstrap/setup.sh
kind = build_helper
sizeBytes = 8487
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
bootstrap/setup.shView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbootstrap/setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings