AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `claude-llm-proxy hook install` or enables/launches the remote-bridge channel.
Impact
User-authorized agent activity, request headers, and prompts may be routed through configured local/upstream/remote-bridge services.
Mechanism
Explicit AI-agent hook/MCP configuration plus local proxy and Claude subprocess integration.
Rationale
Source inspection shows explicit user-command AI-agent configuration and proxy capability, not install-time or covert malicious behavior. Flag as warn for dangerous capability rather than block.
Evidence
package.jsonbin/cli.jsbin/channel.jsdist/lib/claude-settings.jsdist/cli/commands/hook.jsdist/remote/mcp-config.jsdist/remote/cli-runner.jsdist/core/proxy.jsapp/macos-status-bar/bin/StatusBarApp~/.claude/settings.json.mcp.json~/.claude-proxy/config.json
Network endpoints1
localhost:<port>/api/hooks/<event>
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/lib/claude-settings.js` writes managed HTTP hooks into `~/.claude/settings.json`.
- `dist/cli/commands/hook.js` exposes that mutation only through explicit `hook install`/`uninstall` commands.
- `dist/remote/mcp-config.js` writes a project `.mcp.json` entry that runs this package's channel binary.
- `dist/remote/cli-runner.js` spawns the configured `claude` command for the optional remote-bridge feature.
- `dist/core/proxy.js` forwards configured authorization/API-key headers and records proxy traffic locally.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
- `bin/cli.js` and `bin/channel.js` only load CLI/channel entry modules when invoked.
- Hook URLs are explicit `http://localhost:<port>/api/hooks/<event>` endpoints.
- No `eval`, `vm`, remote payload loader, credential harvesting path, or hard-coded exfiltration host was found.
- The shipped macOS binary is an arm64 status-bar executable linked to standard macOS frameworks; static strings show localhost proxy use.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourceapp/macos-status-bar/bin/StatusBarAppView file
•path = app/macos-status-bar/bin/StatusBarApp
kind = native_binary
sizeBytes = 163136
magicHex = [redacted]
Medium
Ships Native Binary
Package ships native binary artifacts.
app/macos-status-bar/bin/StatusBarAppView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryapp/macos-status-bar/bin/StatusBarApp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings