AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found, but the package intentionally provides high-risk remote agent orchestration. Risk is activated by running the MCP server or the explicit PowerShell supervisor installer, not by npm install hooks.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs sensorium-mcp, starts HTTP mode/thread tools, or explicitly runs Install-Sensorium.ps1
Impact
Operator-authorized agents may run with broad local capabilities; no source evidence of credential exfiltration or stealth install-time compromise.
Mechanism
Runtime remote-control MCP server spawns privileged AI agent CLIs and optional supervisor/self-update processes
Rationale
Static source inspection finds dangerous dual-use remote agent orchestration and explicit supervisor lifecycle setup, but no concrete malicious chain or install-time compromise. Warn rather than block because activation is user/runtime driven and network/file behavior aligns with the package purpose.
Evidence
package.jsondist/index.jsdist/services/codex-spawn.service.jsdist/services/claude-spawn.service.jsdist/services/copilot-spawn.service.jsdist/services/spawn-common.jsdist/services/mcp-config.service.jsdist/services/self-update.service.jsInstall-Sensorium.ps1~/.remote-copilot-mcp~/.remote-copilot-mcp/bin/sensorium-supervisor.exeWindows Startup/SensoriumSupervisor.cmd~/.remote-copilot-mcp/settings.json~/.remote-copilot-mcp/server.pid~/.remote-copilot-mcp/maintenance.flag~/.remote-copilot-mcp/processes
Network endpoints8
api.telegram.orgapi.openai.com/v1/audio/speechapi.openai.com/v1/audio/transcriptionsapi.openai.com/v1/chat/completionsregistry.npmjs.org/sensorium-mcp/latestapi.github.com/repos/andriyshevchenko/sensorium-mcp/releases/tags/supervisor-latest127.0.0.1:<MCP_HTTP_PORT>/mcp127.0.0.1:<port>/health
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/services/codex-spawn.service.js spawns Codex with --dangerously-bypass-approvals-and-sandbox after user/runtime thread start.
- dist/services/claude-spawn.service.js spawns Claude with --dangerously-skip-permissions and per-thread MCP config.
- Install-Sensorium.ps1 explicit installer downloads a supervisor binary from GitHub releases and installs a Windows Startup launcher.
- dist/services/self-update.service.js polls npm and can spawn npx -y sensorium-mcp@<targetVersion> during HTTP-mode self-update.
Evidence against
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script.
- Dangerous spawns are runtime features of a Telegram-controlled MCP server, not install-time execution.
- dist/services/spawn-common.js deny-lists TELEGRAM_TOKEN, TELEGRAM_CHAT_ID, MCP_HTTP_SECRET and other secrets from spawned agents by default.
- Network calls are package-aligned: Telegram Bot API, OpenAI APIs, npm registry self-update, local MCP HTTP endpoint, GitHub release installer.
- MCP config writes target package-owned ~/.remote-copilot-mcp process/config paths or explicit agent homes, not unconsented npm install mutation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceInstall-Sensorium.ps1View file
•path = Install-Sensorium.ps1
kind = build_helper
sizeBytes = 12824
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
Install-Sensorium.ps1View on unpkgdist/services/claude-spawn.service.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = sensorium-mcp@3.0.69
matchedIdentity = npm:c2Vuc29yaXVtLW1jcA:3.0.69
similarity = 0.774
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/services/claude-spawn.service.jsView on unpkgFindings
1 High4 Medium5 Low
HighPrevious Version Dangerous Deltadist/services/claude-spawn.service.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperInstall-Sensorium.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings