registry  /  hilos-agent  /  0.1.16

hilos-agent@0.1.16

Run your own coding agent (Claude Code / Codex / Cursor) as an autonomous teammate in a hilos channel. Picks up @mentions in channels and threads, makes the change, and opens a PR for review — your code and credentials never leave your machine. (Approve-b

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `hilos-agent` after configuring a token, repository mapping, and coding command; a Hilos @mention then reaches the polling loop.
Impact
High local repository and developer-credential capability when intentionally configured; task content can drive the coding agent's actions.
Mechanism
Remote channel tasks dispatch a user-configured coding CLI and local git/GitHub CLI.
Rationale
Source inspection confirms an intentional remote-triggered coding-agent and repository automation capability, but no concrete stealth, install-time mutation, credential theft, remote payload execution, or unrelated exfiltration. Treat as a dangerous dual-use package requiring a warning rather than malware.
Evidence
package.jsonbin/hilos-agent.mjssrc/config.mjssrc/mcp.mjssrc/run.mjssrc/cli.mjssrc/handler.mjsREADME.mdhilos-agent.json~/.hilos/agent.json
Network endpoints1
hilos.sh/api/mcp

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/handler.mjs` executes configured coding CLI commands for channel mentions.
  • `src/handler.mjs` uses local `git`/`gh` to commit, push, and open PRs.
  • `src/mcp.mjs` sends bearer-authenticated RPC requests to the configured Hilos endpoint.
  • `src/config.mjs` accepts `codingCmd` from config, environment, flags, and join payloads.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle script.
  • Network code is a single configured Hilos MCP endpoint, not arbitrary payload retrieval.
  • No eval, VM, dynamic module loading, credential harvesting, or foreign AI-agent config writes found.
  • CLI activation is explicit through the `hilos-agent` bin command; config writes occur only for `init`.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 164 KB of source, external domains: hilos.sh, www.npmjs.com

Source & flagged code

4 flagged · loading source
src/handler.mjsView file
Published source reference
Medium
Ai Review Evidence

`src/handler.mjs` executes configured coding CLI commands for channel mentions.

src/handler.mjsView on unpkg
Published source reference
Medium
Ai Review Evidence

`src/handler.mjs` uses local `git`/`gh` to commit, push, and open PRs.

src/handler.mjsView on unpkg
src/mcp.mjsView file
Published source reference
Medium
Ai Review Evidence

`src/mcp.mjs` sends bearer-authenticated RPC requests to the configured Hilos endpoint.

src/mcp.mjsView on unpkg
src/config.mjsView file
Published source reference
Medium
Ai Review Evidence

`src/config.mjs` accepts `codingCmd` from config, environment, flags, and join payloads.

src/config.mjsView on unpkg

Findings

6 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/handler.mjs
MediumAi Review Evidencesrc/handler.mjs
MediumAi Review Evidencesrc/mcp.mjs
MediumAi Review Evidencesrc/config.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings