AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `proofloop agents setup`, `proofloop hooks install`, agent launch commands, or `proofloop providers setup`.
Impact
Can alter local AI-agent hook settings and execute user-selected agent commands within the selected project.
Mechanism
explicit agent-hook setup, command launch, and configured provider connectivity checks
Rationale
Source inspection found explicit user-command AI-agent configuration mutation and command-launch capability, but no malicious lifecycle execution or concrete exfiltration chain. Per policy, this is a warn-level AI-agent capability risk rather than a publish-blocking malicious package.
Evidence
package.jsondist/cli.jsdist/proofloopHooks.jsdist/agentAdapters.jsdist/providerSetup.jsdist/gate.js.proofloop/hooks/config.json.proofloop/hooks/stop-gate.mjs.proofloop/hooks/pretooluse-guard.mjs.proofloop/hooks/posttooluse-log.mjs.claude/settings.json.claude/settings.local.json.codex/hooks.json.proofloop/setup/providers/<provider>.json
Network endpoints2
api.daytona.ioapi.tokenfactory.nebius.com/v1
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/proofloopHooks.js` writes generated hooks and merges entries into `.claude/settings*.json` or `.codex/hooks.json`.
- `dist/agentAdapters.js` invokes hook setup only through explicit `proofloop agents setup` commands.
- `dist/agentAdapters.js` launches configured agent commands with `shell:true` when explicitly requested.
- `dist/providerSetup.js` can send configured provider credentials in explicit live health checks.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook; only `prepublishOnly` builds.
- `dist/cli.js` dispatches setup, launch, provider, and hosted behavior only from user-invoked CLI commands.
- `dist/proofloopHooks.js` defaults hook gating to local check-only state reads, not network execution.
- No dynamic code loading, eval/vm use, native loading, or covert network client was found.
- `dist/providerSetup.js` targets user-configured provider URLs and records setup receipts locally.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/cli.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = proofloop@0.2.0
matchedIdentity = npm:cHJvb2Zsb29w:0.2.0
similarity = 0.467
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings