AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the live OSS meta-lab via `humanish lab run ...` with meta/E2B execution.
Impact
May mutate the agent-skill configuration inside the provisioned E2B desktop and grant the explicitly launched actor broad sandbox permissions there.
Mechanism
Explicit sandboxed agent-skill setup and Codex actor launch.
Rationale
Source inspection found no concrete malicious chain or unconsented lifecycle mutation. The explicit generated skill-install and privileged agent launch constitute a real, user-invoked agent capability risk.
Evidence
package.jsondist/cli.jsdist/program.jsdist/oss-lab.jsdist/oss-meta-lab.jsdist/run.js
Network endpoints2
api.openai.com/v1/responsesgithub.com/<owner>/<repo>.git
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/oss-meta-lab.js` generates an E2B bootstrap that runs `npx -y skills add danielgwilson/humanish --skill humanish`.
- The skill installation is reached only through the explicit `humanish lab run` meta-lab flow in `dist/program.js`.
- `dist/oss-meta-lab.js` can launch a Codex app-server actor with `--sandbox danger-full-access` inside its E2B desktop.
- Live actor preflight sends authenticated requests to `https://api.openai.com/v1/responses`.
Evidence against
- `package.json` has no npm `preinstall`, `install`, or `postinstall` lifecycle hook.
- `dist/cli.js` only parses explicit CLI arguments; importing `dist/index.js` does not invoke lab execution.
- Generated bootstrap isolates supplied credentials, unsets broad host credential variables, and writes under E2B `/home/user/.humanish-oss-lab/...`.
- GitHub clone inputs are constrained to owner/repo slugs in `dist/oss-lab.js`; no shell interpolation from arbitrary repo URLs was found.
- No eval/vm loading, credential exfiltration endpoint, stealth persistence, or destructive host-file mutation was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/oss-meta-lab.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = humanish@0.15.0
matchedIdentity = npm:aHVtYW5pc2g:0.15.0
similarity = 0.600
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/oss-meta-lab.jsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/oss-meta-lab.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings