AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User starts the server in HTTP mode, creates managed Codex/Claude/Copilot threads, or explicitly runs `Install-Sensorium.ps1`.
Impact
Telegram-directed tasks can run through AI CLIs with bypassed safeguards; a later published npm version can execute automatically.
Mechanism
Detached privileged agent spawning plus registry-driven self-update.
Rationale
The behavior is package-aligned remote-agent orchestration, not proven malware, but it creates substantial dangerous capability and registry-driven runtime code execution. It merits a warning rather than a publish block.
Evidence
package.jsondist/index.jsdist/services/self-update.service.jsdist/services/codex-spawn.service.jsdist/services/claude-spawn.service.jsInstall-Sensorium.ps1~/.claude/.credentials.json~/.remote-copilot-mcp/claude-configs/<threadId>/.credentials.json~/.remote-copilot-mcp/maintenance.flag~/.remote-copilot-mcp/bin/sensorium-supervisor.exeWindows Startup/SensoriumSupervisor.cmd
Network endpoints3
registry.npmjs.org/sensorium-mcp/latestapi.github.com/repos/andriyshevchenko/sensorium-mcp/releases/tags/supervisor-latestapi.telegram.org
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/services/codex-spawn.service.js` launches `codex exec --dangerously-bypass-approvals-and-sandbox` in an infinite task-polling loop.
- `dist/services/claude-spawn.service.js` copies `~/.claude/.credentials.json` to a per-thread config and launches Claude with `--dangerously-skip-permissions`.
- `dist/services/self-update.service.js` polls npm and spawns `npx` with `shell:true` to execute a newer package version.
- `Install-Sensorium.ps1` downloads a supervisor executable and creates a Windows Startup launcher when explicitly run.
Evidence against
- `package.json` has only `prepublishOnly`; it has no `preinstall`, `install`, or `postinstall` hook.
- The self-update poller is activated only after an explicit HTTP-mode server launch (`MCP_HTTP_PORT`).
- The installer is an explicit `pwsh Install-Sensorium.ps1` user action, not npm install-time execution.
- No inspected source established secret exfiltration to an unrelated hard-coded endpoint.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceInstall-Sensorium.ps1View file
•path = Install-Sensorium.ps1
kind = build_helper
sizeBytes = 12824
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
Install-Sensorium.ps1View on unpkgdist/services/claude-spawn.service.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = sensorium-mcp@3.0.92
matchedIdentity = npm:c2Vuc29yaXVtLW1jcA:3.0.92
similarity = 0.796
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/services/claude-spawn.service.jsView on unpkgFindings
1 High4 Medium5 Low
HighPrevious Version Dangerous Deltadist/services/claude-spawn.service.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperInstall-Sensorium.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings