registry  /  humanish  /  0.15.1

humanish@0.15.1

Open-source-safe CLI for persona simulation, observer review, and public-safe feedback drafts.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the live OSS meta-lab via `humanish lab run ...` with meta/E2B execution.
Impact
May mutate the agent-skill configuration inside the provisioned E2B desktop and grant the explicitly launched actor broad sandbox permissions there.
Mechanism
Explicit sandboxed agent-skill setup and Codex actor launch.
Rationale
Source inspection found no concrete malicious chain or unconsented lifecycle mutation. The explicit generated skill-install and privileged agent launch constitute a real, user-invoked agent capability risk.
Evidence
package.jsondist/cli.jsdist/program.jsdist/oss-lab.jsdist/oss-meta-lab.jsdist/run.js
Network endpoints2
api.openai.com/v1/responsesgithub.com/<owner>/<repo>.git

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/oss-meta-lab.js` generates an E2B bootstrap that runs `npx -y skills add danielgwilson/humanish --skill humanish`.
  • The skill installation is reached only through the explicit `humanish lab run` meta-lab flow in `dist/program.js`.
  • `dist/oss-meta-lab.js` can launch a Codex app-server actor with `--sandbox danger-full-access` inside its E2B desktop.
  • Live actor preflight sends authenticated requests to `https://api.openai.com/v1/responses`.
Evidence against
  • `package.json` has no npm `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `dist/cli.js` only parses explicit CLI arguments; importing `dist/index.js` does not invoke lab execution.
  • Generated bootstrap isolates supplied credentials, unsets broad host credential variables, and writes under E2B `/home/user/.humanish-oss-lab/...`.
  • GitHub clone inputs are constrained to owner/repo slugs in `dist/oss-lab.js`; no shell interpolation from arbitrary repo URLs was found.
  • No eval/vm loading, credential exfiltration endpoint, stealth persistence, or destructive host-file mutation was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 58 file(s), 1.64 MB of source, external domains: 127.0.0.1, api.openai.com, deb.nodesource.com, fonts.googleapis.com, fonts.gstatic.com, github.com, humanish.local, your-preview.vercel.app

Source & flagged code

1 flagged · loading source
dist/oss-meta-lab.jsView file
matchType = previous_version_dangerous_delta matchedPackage = humanish@0.15.0 matchedIdentity = npm:aHVtYW5pc2g:0.15.0 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/oss-meta-lab.jsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/oss-meta-lab.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings