AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/pty/claude-config.js` writes trust/onboarding flags to `~/.claude.json` for each spawned workspace.
- `dist/skills/inject.js` copies Loom skills into `<cwd>/.claude/skills`, shadowing personal Claude skills.
- `dist/orchestration/usage-status.js` reads Claude OAuth credentials and sends the token to Anthropic's usage endpoint.
- `dist/git/worktrees.js` runs bounded package-manager installs in user-project worktrees.
- `package.json` has no lifecycle scripts; install does not execute this behavior.
- Agent configuration writes occur when the user starts Loom-managed Claude sessions.
- Credential network use is limited to `https://api.anthropic.com/api/oauth/usage` with an Anthropic bearer token.
- `bin/service.mjs` service registration is an explicit `loom service install` action.
Source & flagged code
9 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
bin/loom.mjsView on unpkg · L21Package source references dynamic require/import behavior.
bin/loom.mjsView on unpkg · L270Package source executes code through a VM context API.
dist/mcp/repo-read.jsView on unpkg · L62Source writes installer persistence such as shell profile or service configuration.
bin/service.mjsView on unpkg · L10Package source invokes a package manager install command at runtime.
dist/git/worktrees.jsView on unpkg · L92Package ships non-JavaScript build or shell helper files.
assets/python/synthesize.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/pty/host.jsView on unpkg