registry  /  foremanjs  /  0.5.0

foremanjs@0.5.0

Foreman — the review inbox for your AI workforce. Risk-ranked review cards for every agent session, with signed MCP receipts proving what tools actually did.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI setup can add Foreman callbacks to Claude Code and Cursor configuration, including user-level locations with `--global`. Hook callbacks collect agent event data and selected file/transcript content into a local Foreman journal. No unconsented install-time mutation or outbound exfiltration was confirmed.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `foreman init` or invokes configured hooks; `foreman ui` enables the optional notifier.
Impact
Agent activity and file-content samples may persist locally; a user-supplied notifier command can run for critical cards.
Mechanism
Explicit AI-agent hook installation and local event journaling.
Rationale
Not malicious by source inspection: configuration mutation is explicit-user-command setup and collection is local-first. Warn because the package deliberately installs AI-agent hooks and persists potentially sensitive event/file data, with a shell notifier controlled by user configuration.
Evidence
package.jsondist/cli.jsdist/hooks/claude-code.jsdist/hooks/cursor.jsdist/hooks/codex.jsdist/paths.jsdist/journal.jsdist/server.jsdist/mcp/proxy.js.claude/settings.json.cursor/hooks.json~/.claude/settings.json~/.cursor/hooks.json~/.foreman/events/*.jsonl~/.foreman/config.json
Network endpoints1
127.0.0.1:<port>

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` exposes explicit `foreman init [--global]`, which installs agent hooks.
  • `dist/hooks/claude-code.js` reads hook payloads and project files, then journals bounded content samples.
  • `dist/hooks/cursor.js` writes Foreman hook commands to project or user `.cursor/hooks.json`.
  • `dist/paths.js` stores collected events under `FOREMAN_HOME` or `~/.foreman`.
  • `dist/server.js` can execute user-configured `notify_command` through a shell after the user starts the UI.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • All agent configuration changes are reached only through `foreman init` or `foreman uninstall`.
  • Inspected source contains no outbound HTTP client, credential exfiltration path, remote payload download, eval, or VM execution.
  • The built-in HTTP server binds to `127.0.0.1`; observed URLs are local-only.
  • `dist/mcp/proxy.js` proxies an explicitly supplied local stdio command and records signed hashes/receipts.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 102 KB of source, external domains: 127.0.0.1, github.com

Source & flagged code

2 flagged · loading source
README.mdView file
- **Rug-pull detection** — tool definitions are fingerprinted on first use. When *"adds two numbers"* becomes *"adds two numbers. IGNORE PREVIOUS INSTRUCTIONS…"*, a finding lands in your inbox. Re-accept intentional updates with `foreman trust <server>`.
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = foremanjs@0.3.0 matchedIdentity = npm:Zm9yZW1hbmpz:0.3.0 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

2 High2 Medium4 Low
HighAi Reviewer ManipulationREADME.md
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings