registry  /  fraim-hub  /  2.0.209

fraim-hub@2.0.209

FRAIM Hub local companion package.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A user-started local Hub can install approved AI agent CLIs and configure FRAIM MCP/discovery artifacts in their user-level agent directories. It also enables Claude Code OTLP telemetry to a local receiver. No install-time or import-time attack surface was confirmed.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `fraim-hub` and explicitly uses the Hub agent-install/configuration workflow.
Impact
Changes AI-agent configuration and can route Claude telemetry to a local FRAIM receiver.
Mechanism
Runtime global agent installation plus user-level AI-agent configuration writes.
Rationale
The scanner's malicious classification overstates the source evidence. The package has a real, user-invoked AI-agent setup capability that warrants a warning, but no concrete malicious chain was found.
Evidence
package.jsonbin/fraim-hub.jsdist/src/ai-hub/server.jsdist/src/first-run/types.jsdist/src/cli/commands/add-ide.jsdist/src/cli/setup/ide-global-integration.jsdist/src/cli/setup/claude-code-telemetry.js~/.claude/settings.json~/.codex/skills/fraim/SKILL.md
Network endpoints3
fraim.wellnessatwork.melocalhost:4318registry.npmjs.org/fraim/latest

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/src/ai-hub/server.js` exposes explicit `/api/ai-hub/install-agent`, which runs `npm install -g` for selected AI CLIs.
  • `dist/src/ai-hub/server.js` invokes `runAddIDE` after installation, enabling FRAIM MCP configuration in agent environments.
  • `dist/src/cli/setup/ide-global-integration.js` creates FRAIM artifacts under existing `~/.claude`, `~/.codex`, and other IDE directories.
  • `dist/src/cli/setup/claude-code-telemetry.js` modifies `~/.claude/settings.json` to enable OTLP telemetry to localhost.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle scripts.
  • `bin/fraim-hub.js` only starts the CLI when the user invokes `fraim-hub`.
  • Agent installation uses a fixed allowlist: Claude Code, Codex, Gemini CLI, and GitHub Copilot CLI in `dist/src/first-run/types.js`.
  • No `eval`, VM execution, encoded payload decoding, native binaries, credential-file harvesting, or non-package-aligned exfiltration was found.
  • `dist/src/ai-hub/server.js` binds Hub HTTP/HTTPS listeners to `127.0.0.1` only.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 83 file(s), 1.48 MB of source, external domains: 127.0.0.1, ai.google.dev, antigravity.google, api.dicebear.com, api.githubcopilot.com, app.seekout.com, claude.ai, code.visualstudio.com, cursor.com, docs.github.com, docs.gitlab.com, docs.microsoft.com, fraim.wellnessatwork.me, fraimworks.ai, github.com, gitlab.com, id.atlassian.com, kiro.dev, openai.com, registry.npmjs.org, support.atlassian.com, windsurf.com, www.anthropic.com, www.indeed.com, www.linkedin.com, www.w3.org, x.ai

Source & flagged code

6 flagged · loading source
dist/src/core/utils/git-utils.jsView file
9exports.sanitizeRepoIdentifier = sanitizeRepoIdentifier; L10: const child_process_1 = require("child_process"); L11: function extractLocalFolderLabel(rawPath) {
High
Child Process

Package source references child process execution.

dist/src/core/utils/git-utils.jsView on unpkg · L9
bin/fraim-hub.jsView file
3try { L4: const { createFraimHubProgram } = require('../dist/src/cli/fraim-hub.js'); L5: createFraimHubProgram().parseAsync(process.argv).catch((error) => {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/fraim-hub.jsView on unpkg · L3
dist/src/ai-hub/word-sideload.jsView file
21const os_1 = __importDefault(require("os")); L22: const child_process_1 = require("child_process"); L23: const MANIFEST_GUID = 'd1090951-50cf-4cf2-9d12-b0f8541d265c'; ... L26: path_1.default.resolve(projectPath, 'extensions/office-word/manifest.xml'), L27: path_1.default.resolve(__dirname, '..', '..', 'extensions/office-word/manifest.xml'), L28: path_1.default.resolve(__dirname, '..', '..', '..', 'extensions/office-word/manifest.xml'), ... L32: function isSideloaded() { L33: if (process.platform === 'win32') { L34: const result = (0, child_process_1.spawnSync)('reg', [ ... L38: ], { encoding: 'utf8' }); L39: return result.status === 0 && result.stdout.includes(MANIFEST_GUID); L40: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/src/ai-hub/word-sideload.jsView on unpkg · L21
dist/src/ai-hub/managed-browser.jsView file
27*/ L28: const child_process_1 = require("child_process"); L29: const http_1 = __importDefault(require("http")); L30: const os_1 = __importDefault(require("os")); ... L36: */ L37: function browserExecutableCandidates(platform = process.platform, env = process.env) { L38: if (platform === 'win32') {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/ai-hub/managed-browser.jsView on unpkg · L27
dist/src/ai-hub/server.jsView file
3078try { L3079: const syncChild = (0, child_process_1.spawn)('npx', ['fraim', 'sync'], { cwd: projectPath, detached: true, stdio: 'ignore' }); L3080: syncChild.on('error', () => { });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/ai-hub/server.jsView on unpkg · L3078
dist/src/ai-hub/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = fraim-hub@2.0.207 matchedIdentity = npm:ZnJhaW0taHVi:2.0.207 similarity = 0.915 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/ai-hub/cli.jsView on unpkg

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/src/ai-hub/cli.js
HighChild Processdist/src/core/utils/git-utils.js
HighSame File Env Network Executiondist/src/ai-hub/managed-browser.js
HighRuntime Package Installdist/src/ai-hub/server.js
MediumDynamic Requirebin/fraim-hub.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/src/ai-hub/word-sideload.js
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License