registry  /  fraim-hub  /  2.0.211

fraim-hub@2.0.211

FRAIM Hub local companion package.

AI Security Review

scanned 8h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `fraim add-ide`, uses the Hub's Install Agent action, or starts an IDE configured with the FRAIM MCP server.
Impact
Configured AI-agent sessions can receive FRAIM MCP capabilities and execute a future registry-selected package version with the configured API key available to that MCP process.
Mechanism
Explicit agent-config mutation plus runtime `npx` execution of latest `fraim`.
Rationale
No evidence supports a malicious install-time or autonomous attack chain, so blocking is not justified. The explicit agent-control mutation and unpinned runtime launcher warrant a warning.
Evidence
package.jsonbin/fraim-hub.jsdist/src/ai-hub/server.jsdist/src/cli/commands/add-ide.jsdist/src/cli/setup/claude-code-telemetry.jsdist/src/cli/mcp/fraim-mcp-latest-launcher.jsdist/src/cli/mcp/mcp-server-registry.js~/.claude/settings.json~/.fraim/bin/fraim-mcp-latest.js.codex/config.toml
Network endpoints2
fraim.wellnessatwork.meregistry.npmjs.org/fraim/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/src/cli/commands/add-ide.js` writes IDE MCP configuration and invokes Claude telemetry setup.
  • `dist/src/cli/setup/claude-code-telemetry.js` modifies `~/.claude/settings.json` for all Claude Code sessions.
  • `dist/src/cli/mcp/fraim-mcp-latest-launcher.js` writes a launcher that resolves latest `fraim` and executes it through `npx`.
  • `dist/src/cli/mcp/mcp-server-registry.js` places that launcher plus `FRAIM_API_KEY` into the FRAIM MCP configuration.
  • `dist/src/ai-hub/server.js` exposes a user-invoked install route that globally installs selected agent CLIs and then configures FRAIM for them.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `bin/fraim-hub.js` only starts the Hub after an explicit CLI invocation.
  • The Hub binds its HTTP and optional HTTPS listeners to `127.0.0.1`.
  • No inspected source showed credential harvesting, covert exfiltration, destructive behavior, or import-time payload execution.
  • The Unicode finding in `dist/src/config/learning-domains.js` is a leading BOM, not a deceptive bidi control sequence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 86 file(s), 1.51 MB of source, external domains: 127.0.0.1, ai.google.dev, antigravity.google, api.dicebear.com, api.githubcopilot.com, app.seekout.com, claude.ai, code.visualstudio.com, cursor.com, docs.github.com, docs.gitlab.com, docs.microsoft.com, fraim.wellnessatwork.me, fraimworks.ai, github.com, gitlab.com, id.atlassian.com, kiro.dev, openai.com, registry.npmjs.org, support.atlassian.com, windsurf.com, www.anthropic.com, www.indeed.com, www.linkedin.com, www.w3.org, x.ai

Source & flagged code

8 flagged · loading source
dist/src/core/utils/git-utils.jsView file
9exports.sanitizeRepoIdentifier = sanitizeRepoIdentifier; L10: const child_process_1 = require("child_process"); L11: function extractLocalFolderLabel(rawPath) {
High
Child Process

Package source references child process execution.

dist/src/core/utils/git-utils.jsView on unpkg · L9
bin/fraim-hub.jsView file
3try { L4: const { createFraimHubProgram } = require('../dist/src/cli/fraim-hub.js'); L5: createFraimHubProgram().parseAsync(process.argv).catch((error) => {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/fraim-hub.jsView on unpkg · L3
dist/src/ai-hub/word-sideload.jsView file
21const os_1 = __importDefault(require("os")); L22: const child_process_1 = require("child_process"); L23: const MANIFEST_GUID = 'd1090951-50cf-4cf2-9d12-b0f8541d265c'; ... L26: path_1.default.resolve(projectPath, 'extensions/office-word/manifest.xml'), L27: path_1.default.resolve(__dirname, '..', '..', 'extensions/office-word/manifest.xml'), L28: path_1.default.resolve(__dirname, '..', '..', '..', 'extensions/office-word/manifest.xml'), ... L32: function isSideloaded() { L33: if (process.platform === 'win32') { L34: const result = (0, child_process_1.spawnSync)('reg', [ ... L38: ], { encoding: 'utf8' }); L39: return result.status === 0 && result.stdout.includes(MANIFEST_GUID); L40: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/src/ai-hub/word-sideload.jsView on unpkg · L21
dist/src/ai-hub/managed-browser.jsView file
27*/ L28: const child_process_1 = require("child_process"); L29: const http_1 = __importDefault(require("http")); L30: const os_1 = __importDefault(require("os")); ... L36: */ L37: function browserExecutableCandidates(platform = process.platform, env = process.env) { L38: if (platform === 'win32') {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/ai-hub/managed-browser.jsView on unpkg · L27
dist/src/config/learning-domains.jsView file
191contains invisible/control Unicode U+FEFF (zero width no-break space) const fm = jobFileContent.match(/^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/src/config/learning-domains.jsView on unpkg · L191
Trigger-reachable chain: manifest.bin -> bin/fraim-hub.js -> dist/src/cli/fraim-hub.js -> dist/src/ai-hub/cli.js -> dist/src/ai-hub/server.js -> dist/src/local-mcp-server/learning-context-builder.js -> dist/src/config/learning-domains.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/config/learning-domains.jsView on unpkg
dist/src/ai-hub/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = fraim-hub@2.0.209 matchedIdentity = npm:ZnJhaW0taHVi:2.0.209 similarity = 0.928 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/ai-hub/server.jsView on unpkg
3110try { L3111: const syncChild = (0, child_process_1.spawn)('npx', ['fraim', 'sync'], { cwd: projectPath, detached: true, stdio: 'ignore' }); L3112: syncChild.on('error', () => { });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/ai-hub/server.jsView on unpkg · L3110

Findings

3 Critical3 High5 Medium4 Low
CriticalTrojan Source Unicodedist/src/config/learning-domains.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/config/learning-domains.js
CriticalPrevious Version Dangerous Deltadist/src/ai-hub/server.js
HighChild Processdist/src/core/utils/git-utils.js
HighSame File Env Network Executiondist/src/ai-hub/managed-browser.js
HighRuntime Package Installdist/src/ai-hub/server.js
MediumDynamic Requirebin/fraim-hub.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/src/ai-hub/word-sideload.js
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License