registry  /  failproofai  /  0.0.13

failproofai@0.0.13

The easiest way to manage policies that keep your AI agents reliable, on-task, and running autonomously — for Claude Code & the Agents SDK

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall; explicit `failproofai policies --install` command
Impact
Persistent telemetry identifier and optional agent hook execution after user configuration
Mechanism
telemetry collection plus user-invoked agent hook registration
Rationale
No concrete malicious chain was established, but automatic install telemetry and explicit AI-agent configuration mutation warrant a warning under the lifecycle policy. The scanner's claimed install-time AI-agent hijack is not supported by `scripts/postinstall.mjs`.
Evidence
package.jsonscripts/postinstall.mjsscripts/preuninstall.mjsscripts/install-telemetry.mjsbin/failproofai.mjssrc/hooks/integrations.tssrc/hooks/llm-client.ts~/.failproofai/instance-id~/.failproofai/last-version~/.claude/settings.json~/.codex/hooks.json
Network endpoints1
us.i.posthog.com/capture/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/postinstall.mjs` runs on install and sends telemetry by default.
  • `scripts/install-telemetry.mjs` derives a persistent host ID and POSTs install events to PostHog.
  • `bin/failproofai.mjs` exposes explicit `policies --install` commands.
  • `src/hooks/integrations.ts` writes marked hook commands into agent settings, including `.codex/hooks.json`.
Evidence against
  • `scripts/postinstall.mjs` only reads Claude settings and prints a repair warning; it does not mutate them.
  • `scripts/preuninstall.mjs` removes only marked failproofai hook entries during uninstall.
  • Agent-setting writes are behind explicit CLI policy-install commands, not install-time.
  • No credential harvesting, remote payload loading, eval/vm use, or destructive behavior was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 130 file(s), 1.55 MB of source, external domains: api.befailproof.ai, api.example.com, api.openai.com, discord.gg, docs.befailproof.ai, github.com, img.shields.io, opencode.ai, us.i.posthog.com

Source & flagged code

15 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
.next/standalone/.next/server/chunks/_1z062h5._.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = module.e...)}];
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.next/standalone/.next/server/chunks/_1z062h5._.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = module.e...)}];
Critical
Secret Pattern

AWS access key ID in .next/standalone/.next/server/chunks/_1z062h5._.js

.next/standalone/.next/server/chunks/_1z062h5._.jsView on unpkg · L1
dist/cli.mjsView file
68import crypto from "node:crypto"; L69: import { execSync } from "node:child_process"; L70: function hashToId(raw) {
High
Child Process

Package source references child process execution.

dist/cli.mjsView on unpkg · L68
226bash: "Bash", L227: powershell: "Bash", L228: list_bash: "Bash",
High
Shell

Package source references shell execution.

dist/cli.mjsView on unpkg · L226
18var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res); L19: var __require = /* @__PURE__ */ createRequire(import.meta.url); L20:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.mjsView on unpkg · L18
20L21: // package.json L22: var version2 = "0.0.13"; ... L33: async function trackHookEvent(distinctId, event, properties) { L34: if (process.env.FAILPROOFAI_TELEMETRY_DISABLED === "1") L35: return; ... L42: try { L43: await fetch(process.env.FAILPROOFAI_POSTHOG_HOST ? `${process.env.FAILPROOFAI_POSTHOG_HOST}/capture/` : CAPTURE_URL, { L44: method: "POST", ... L68: import crypto from "node:crypto"; L69: import { execSync } from "node:child_process"; L70: function hashToId(raw) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.mjsView on unpkg · L20
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: */ L10: import { existsSync, readFileSync, writeFileSync, mkdirSync } from "node:fs"; L11: import { resolve } from "node:path"; ... L95: // Check if Claude Code settings have failproofai hooks L96: const settingsPath = resolve(homedir(), ".claude", "settings.json"); L97: if (!existsSync(settingsPath)) { ... L228: try { L229: mkdirSync(resolve(homedir(), ".failproofai"), { recursive: true }); L230: writeFileSync(lastVersionFile, currentVersion, "utf8"); L231: } catch {} Payload evidence from scripts/sync-agent-cli-harnesses-prompt.md: L49: `src/hooks/integrations.ts` (matcher-wrapper vs flat-array vs packages-array vs L50: plugin registration; field names like `command` vs `bash`/`powershell`; L51: `timeout` vs `timeoutSec` and its **unit** seconds-vs-ms; presence of `version` ... L94: |-----------|-------------| L95: | Claude | https://code.claude.com/docs/en/hooks (reference) · https://code.claude.com/docs/en/hooks-guide (summary) | L96: | Codex | https://developers.openai.com/codex/hooks | ... L173: Add a single-line entry to `CHANGELOG.md` under `## <version> — <YYYY-MM-DD>` where L174: `<version>` is the `version` field…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
pi-extension/index.tsView file
8Cross-file remote execution chain: pi-extension/index.ts spawns dist/cli.mjs; helper contains network access plus dynamic code execution. L8: * binary as `failproofai --hook <Event> --cli pi`. failproofai prints a L9: * decision JSON to stdout; this shim parses it and translates into Pi's L10: * `{ block: true, reason }` return shape so policy `deny` decisions cancel ... L20: * dist/cli.mjs is preferred because spawning `node bin/failproofai.mjs` L21: * fails with ERR_IMPORT_ATTRIBUTE_MISSING (the source `import package.json` L22: * needs `with { type: "json" }` under node, which bun handles transparently ... L25: * spawns extensions with an undefined cwd contract, so paths are resolved L26: * relative to this file via `import.meta.url`, NOT process.cwd(). L27: */ L28: import { spawnSync } from "node:child_process"; L29: import { resolve, dirname, join } from "node:path"; ... L39: function resolveSpawn(): { cmd: string; args: string[] } {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

pi-extension/index.tsView on unpkg · L8
.next/standalone/docker-hook-sync/entrypoint.shView file
path = .next/standalone/docker-hook-sync/entrypoint.sh kind = payload_in_excluded_dir sizeBytes = 4947 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/standalone/docker-hook-sync/entrypoint.shView on unpkg
path = .next/standalone/docker-hook-sync/entrypoint.sh kind = build_helper sizeBytes = 4947 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.next/standalone/docker-hook-sync/entrypoint.shView on unpkg
.next/standalone/public/audit/fonts/bitcount-prop-single.woff2View file
path = .[redacted]-prop-single.woff2 kind = high_entropy_blob sizeBytes = 6440 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/standalone/public/audit/fonts/bitcount-prop-single.woff2View on unpkg
.next/standalone/.next/server/chunks/ssr/_0ul5rf_._.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = module.e...)}];
Critical
Secret Pattern

AWS access key ID in .next/standalone/.next/server/chunks/ssr/_0ul5rf_._.js

.next/standalone/.next/server/chunks/ssr/_0ul5rf_._.jsView on unpkg · L1
.next/standalone/.next/server/chunks/ssr/_11v0g3z._.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = module.e...)}];
Critical
Secret Pattern

AWS access key ID in .next/standalone/.next/server/chunks/ssr/_11v0g3z._.js

.next/standalone/.next/server/chunks/ssr/_11v0g3z._.jsView on unpkg · L1

Findings

5 Critical6 High6 Medium9 Low
CriticalCritical Secret.next/standalone/.next/server/chunks/_1z062h5._.js
CriticalAi Agent Control Hijackscripts/postinstall.mjs
CriticalSecret Pattern.next/standalone/.next/server/chunks/_1z062h5._.js
CriticalSecret Pattern.next/standalone/.next/server/chunks/ssr/_0ul5rf_._.js
CriticalSecret Pattern.next/standalone/.next/server/chunks/ssr/_11v0g3z._.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.mjs
HighShelldist/cli.mjs
HighCross File Remote Execution Contextpi-extension/index.ts
HighShips High Entropy Blob.next/standalone/public/audit/fonts/bitcount-prop-single.woff2
HighPayload In Excluded Dir.next/standalone/docker-hook-sync/entrypoint.sh
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.next/standalone/docker-hook-sync/entrypoint.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License