registry  /  ltcai  /  8.6.0

ltcai@8.6.0

Lattice AI — local-first Digital Brain that keeps your knowledge durable across any AI model.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User or external launchd/screen setup runs scripts/start-pts-claudecode-discord.sh or scripts/pts-claudecode-discord-bridge.mjs
Impact
Remote Discord users allowed by the bridge can cause local agent actions and source edits in the configured workspace
Mechanism
Discord bot forwards messages into Claude Code with --permission-mode bypassPermissions
Rationale
Source inspection confirms a high-risk remote agent-control bridge, but not unconsented npm lifecycle activation or automatic mutation of a foreign AI-agent control surface. Warn rather than block because the dangerous path requires explicit execution or separate persistence setup not shown in package install hooks.
Evidence
package.jsonbin/ltcai.jsdesktop/electron/main.cjsscripts/pts-claudecode-discord-bridge.mjsscripts/start-pts-claudecode-discord.shscripts/com.pts.claudecode.discord.plist$HOME/.claude/channels/discord/.env$HOME/.claude/logs/pts_claudecode_discord_autostart.log$HOME/.claude/pts_claudecode_start.lock/Users/parktaesoo/.claude/bin/pts-claudecode-discord-bridge.mjs
Network endpoints2
discord.comgateway.discord.gg

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • scripts/pts-claudecode-discord-bridge.mjs reads DISCORD_BOT_TOKEN from $HOME/.claude/channels/discord/.env
  • scripts/pts-claudecode-discord-bridge.mjs connects a Discord bot and runs /opt/homebrew/bin/claude with --permission-mode bypassPermissions
  • scripts/com.pts.claudecode.discord.plist is a launchd KeepAlive/RunAtLoad persistence descriptor for the bridge
  • scripts/start-pts-claudecode-discord.sh starts the bridge in a detached screen session and writes logs/locks under $HOME/.claude
  • Bridge prompt permits direct source edits in a hardcoded Lattice AI workspace from Discord messages
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hook
  • bin/ltcai.js is a user-invoked CLI that bootstraps Python deps and runs ltcai_cli.py
  • desktop/electron/main.cjs starts a local backend and loads http://127.0.0.1:8765/app with sandboxed renderer settings
  • scripts/lint_frontend.mjs and scripts/run_integration_tests.mjs are development/test scripts, not install-time execution
  • No inspected code automatically installs the launchd plist or bridge during npm install
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 1.40 MB of source, external domains: 127.0.0.1, github.com, react.dev, reactflow.dev, www.w3.org

Source & flagged code

6 flagged · loading source
bin/ltcai.jsView file
2L3: const { spawn } = require("node:child_process"); L4: const { spawnSync } = require("node:child_process");
High
Child Process

Package source references child process execution.

bin/ltcai.jsView on unpkg · L2
scripts/run_integration_tests.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { existsSync } from "node:fs"; ... L5: L6: const host = process.env.LTCAI_TEST_HOST || "127.0.0.1"; L7: const port = process.env.LTCAI_TEST_PORT || "8899"; L8: const baseUrl = process.env.LTCAI_TEST_BASE_URL || `http://${host}:${port}`; L9: const venvPython = join(process.cwd(), ".venv", "bin", "python");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/run_integration_tests.mjsView on unpkg · L1
scripts/lint_frontend.mjsView file
31L32: const tsc = spawnSync("npx", ["tsc", "-p", "tsconfig.json", "--noEmit"], { cwd: repo, encoding: "utf8" }); L33: if (tsc.status !== 0) fail(`frontend typecheck\n${tsc.stdout}${tsc.stderr}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/lint_frontend.mjsView on unpkg · L31
telegram_bot.pyView file
path = telegram_bot.py kind = build_helper sizeBytes = 322 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

telegram_bot.pyView on unpkg
static/vendor/icons/tabler-icons.woff2View file
path = static/vendor/icons/tabler-icons.woff2 kind = high_entropy_blob sizeBytes = 820316 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

static/vendor/icons/tabler-icons.woff2View on unpkg
desktop/electron/main.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = ltcai@8.5.0 matchedIdentity = npm:bHRjYWk:8.5.0 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

desktop/electron/main.cjsView on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadesktop/electron/main.cjs
HighChild Processbin/ltcai.js
HighShell
HighSame File Env Network Executionscripts/run_integration_tests.mjs
HighRuntime Package Installscripts/lint_frontend.mjs
HighShips High Entropy Blobstatic/vendor/icons/tabler-icons.woff2
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertelegram_bot.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings