registry  /  hilos-agent  /  0.4.0

hilos-agent@0.4.0

Run your own coding agent (Claude Code / Codex / Cursor) as an autonomous teammate in a hilos channel. Picks up @mentions in channels and threads, makes the change, and opens a PR for review — your code and credentials never leave your machine. (Approve-b

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `hilos-agent` or explicitly invokes `hilos-agent hooks install`.
Impact
A trusted Hilos channel plus an intentionally configured coding command can modify configured repositories and use local git tooling.
Mechanism
Remote-channel-driven local coding-agent orchestration with optional Claude hook setup.
Rationale
Source inspection shows a real high-impact agent capability, but it is package-aligned, configured by the user, and not activated at npm install. Treat as a warning for dangerous autonomous local-code execution rather than malicious behavior.
Evidence
package.jsonbin/hilos-agent.mjssrc/config.mjssrc/mcp.mjssrc/daemon.mjssrc/handler.mjssrc/hook.mjs~/.hilos/agent.jsonhilos-agent.json.claude/settings.json~/.claude/settings.json
Network endpoints1
hilos.sh/api/mcp

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/daemon.mjs` polls channel mentions and routes them to task handling.
  • `src/handler.mjs` runs configured coding commands and local git operations for channel tasks.
  • `src/hook.mjs` can install Claude hook configuration when explicitly invoked.
  • `src/mcp.mjs` sends authenticated RPC requests to the configured Hilos endpoint.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle script.
  • `bin/hilos-agent.mjs` activates config writes, hooks, and daemon work only through explicit CLI commands.
  • `src/config.mjs` defaults the service endpoint to `https://hilos.sh/api/mcp` and accepts user-supplied configuration.
  • `src/mcp.mjs` contains no unrelated endpoint, payload download, or remote code-loading path.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 212 KB of source, external domains: hilos.sh, www.npmjs.com

Source & flagged code

1 flagged · loading source
src/daemon.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = hilos-agent@0.1.16 matchedIdentity = npm:aGlsb3MtYWdlbnQ:0.1.16 similarity = 0.571 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/daemon.mjsView on unpkg

Findings

1 High2 Medium3 Low
HighPrevious Version Dangerous Deltasrc/daemon.mjs
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings