registry  /  humanish  /  0.15.0

humanish@0.15.0

Open-source-safe CLI for persona simulation, observer review, and public-safe feedback drafts.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
Run the OSS meta-lab outside dry-run with HUMANISH_OSS_META_HOST_CODEX_ACTOR=1 and required live credentials.
Impact
A hostile or compromised selected repository could influence an unrestricted coding agent to modify or access host resources.
Mechanism
Host clone followed by unrestricted Codex execution in the cloned repository.
Rationale
No malicious install-time or covert behavior is established, but the opt-in host-agent route deliberately disables safety controls while processing cloned repository content. Warn rather than block because the route is explicit and guarded by live-mode configuration.
Evidence
package.jsondist/oss-meta-lab.jsdist/source-archive.jsdist/index.jsdist/cli.js
Network endpoints2
github.comapi.openai.com/v1/responses

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • dist/oss-meta-lab.js builds a host `codex exec` command with `--dangerously-bypass-approvals-and-sandbox`.
  • The host-agent path clones a selected GitHub repository, then runs the unrestricted agent inside that clone.
  • Activation requires non-dry-run execution plus `HUMANISH_OSS_META_HOST_CODEX_ACTOR=1`.
  • dist/oss-meta-lab.js writes a temporary GitHub askpass helper when a GitHub token is supplied.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No import-time network, shell, or filesystem execution was found in dist/index.js or dist/cli.js beyond CLI parsing.
  • Host actor receives an allowlisted environment that excludes OpenAI and GitHub token variables.
  • dist/source-archive.js explicitly excludes .env, keys, credentials, .npmrc, node_modules, and runtime directories.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 55 file(s), 1.54 MB of source, external domains: 127.0.0.1, api.openai.com, deb.nodesource.com, fonts.googleapis.com, fonts.gstatic.com, github.com, humanish.local, your-preview.vercel.app

Source & flagged code

2 flagged · loading source
dist/oss-meta-lab.jsView file
Published source reference
Medium
Ai Review Evidence

dist/oss-meta-lab.js builds a host `codex exec` command with `--dangerously-bypass-approvals-and-sandbox`.

dist/oss-meta-lab.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

dist/oss-meta-lab.js writes a temporary GitHub askpass helper when a GitHub token is supplied.

dist/oss-meta-lab.jsView on unpkg

Findings

6 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/oss-meta-lab.js
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidencedist/oss-meta-lab.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings