AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
Explicit `omniagent sync` or `omniagent usage` invocation
Impact
A user-selected project template can run with the invoking user's permissions and write managed agent files.
Mechanism
Agent-config synchronization plus execution of user-supplied template script blocks
Rationale
No concrete malicious chain is present, but explicit shell/Node template execution and AI-agent configuration mutation are risky capabilities. Treat as a warning rather than a block because activation depends on user commands and supplied content.
Evidence
package.jsondist/cli.jsdist/claude-CcxRb8OW.jsdist/codex-DhlBosXm.jsagents/skills/hello-world/SKILL.mdagents/skills/pr-prep/SKILL.mdagents/**{repoRoot}/.claude/**{repoRoot}/.codex/**{homeDir}/.omniagent/state/**{homeDir}/.claude/.credentials.json{homeDir}/.codex/auth.json
Network endpoints2
api.anthropic.com/v1/messageschatgpt.com/backend-api/wham/usage
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/cli.js` executes `<nodejs>` template blocks with `new AsyncFunction`.
- `dist/cli.js` executes `<shell>` template blocks through a system shell.
- `omniagent sync` explicitly writes/removes managed files for Claude, Codex, Copilot, and Antigravity targets.
- `usage` reads Claude/Codex credentials only to call their respective usage endpoints.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` hook.
- No shipped `agents/**` template contains executable script tags.
- Only observed network endpoints are Anthropic and ChatGPT usage APIs.
- No remote payload download, stealth persistence, credential exfiltration endpoint, or destructive install-time behavior found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/cli.js` executes `<nodejs>` template blocks with `new AsyncFunction`.
dist/cli.jsView on unpkg•Published source reference
Medium
Ai Review Evidence
`dist/cli.js` executes `<shell>` template blocks through a system shell.
dist/cli.jsView on unpkgFindings
6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/cli.js
MediumAi Review Evidencedist/cli.js
MediumAi Review Evidence
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings