AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `personaxis hooks install` with a selected host, optionally `--global`.
Impact
Can cause supported agent hosts to execute `personaxis observe --stdin` on later agent turns.
Mechanism
Explicit AI-agent hook and configuration mutation.
Rationale
Source inspection shows an explicit, potentially broad AI-agent configuration capability but no unconsented lifecycle execution or concrete malicious chain. Treat as a warning-level dangerous capability rather than malware.
Evidence
package.jsondist/index.jsdist/commands/hooks.jsdist/commands/compile.jsdist/providers/remote.js.claude/settings.json~/.claude/settings.json.codex/hooks.json~/.codex/hooks.json~/.hermes/hooks/personaxis-observe/HOOK.yaml~/.hermes/hooks/personaxis-observe/handler.py~/.openclaw/hooks/personaxis-observe/HOOK.md~/.openclaw/hooks/personaxis-observe/handler.tsCLAUDE.mdAGENTS.md
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/commands/hooks.js` explicitly installs hooks into Claude Code, Codex, Hermes, and OpenClaw configuration.
- The hooks invoke `personaxis observe --stdin` after agent turns and support project/global locations.
- `dist/commands/compile.js` can update project `CLAUDE.md` and `AGENTS.md` on an explicit compile command.
Evidence against
- `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
- `dist/index.js` registers hook behavior only behind the explicit `hooks` CLI command.
- `dist/providers/remote.js` sends prompts only when the user selects the remote provider and supplies `PERSONAXIS_API_TOKEN`.
- No source evidence of stealth execution, arbitrary remote payload loading, credential harvesting, or destructive behavior.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcedist/providers/remote.jsView file
1const DEFAULT_API_BASE = "https://api.personaxis.com";
L2: /**
...
L17: async run(prompt) {
L18: const token = process.env.PERSONAXIS_API_TOKEN;
L19: if (!token) {
...
L28: },
L29: body: JSON.stringify({ prompt, model }),
L30: });
...
L33: }
L34: const json = (await res.json());
L35: if (!json.text)
High
Credential Exfiltration
Source combines credential-like environment material and outbound requests; review data flow before blocking.
dist/providers/remote.jsView on unpkg · L1Findings
1 High2 Medium4 Low
HighCredential Exfiltrationdist/providers/remote.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings