AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `npx sh-30-day-loop` or `sh-30-day-loop install`.
Impact
A server-side bundle or future package release can alter instructions/capabilities loaded by supported AI-agent tools.
Mechanism
Remote AI-skill deployment plus scheduled self-update.
Rationale
Source confirms an explicit-user-command AI-agent configuration mutation and persistent remote update channel. This warrants a warning, not a block, because no install-time hook, credential theft, exfiltration, or stealth execution is present.
Evidence
package.jsonbin/run.jssrc/agents.jssrc/api.jssrc/commands/install.jssrc/commands/update.jssrc/installer.jssrc/scheduler.js~/.claude/skills~/.agents/skills~/.superhuman/config.json~/.superhuman/auto-update.sh~/.superhuman/update.log~/Library/LaunchAgents/com.superhuman.30dayloop.plistuser crontab
Network endpoints1
sh-30-day-loop.vercel.app/api
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/commands/install.js` fetches a remote bundle and writes it into AI-agent skill directories.
- `src/agents.js` targets `~/.claude/skills` and shared `~/.agents/skills` after an explicit CLI install.
- `src/scheduler.js` creates daily launchd/cron persistence that runs `npx -y sh-30-day-loop@latest update --silent`.
- `src/commands/update.js` renews a token and replaces installed bundle files from the remote API.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- The persistence and agent writes are reached through the user-invoked `install` command, not package import or installation.
- No credential harvesting, arbitrary local-file collection, or non-package network endpoint is present in inspected source.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcesrc/scheduler.jsView file
3import path from "node:path";
L4: import { execFileSync, execSync } from "node:child_process";
L5: import { CONFIG_DIR, UPDATE_LOG, LAUNCHD_LABEL, CRON_MARKER, HOME } from "./constants.js";
High
3import path from "node:path";
L4: import { execFileSync, execSync } from "node:child_process";
L5: import { CONFIG_DIR, UPDATE_LOG, LAUNCHD_LABEL, CRON_MARKER, HOME } from "./constants.js";
...
L12: const npx = path.join(nodeDir, "npx");
L13: const npxCmd = fs.existsSync(npx) ? npx : "npx";
L14: return `#!/bin/sh
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/scheduler.jsView on unpkg · L33import path from "node:path";
L4: import { execFileSync, execSync } from "node:child_process";
L5: import { CONFIG_DIR, UPDATE_LOG, LAUNCHD_LABEL, CRON_MARKER, HOME } from "./constants.js";
...
L13: const npxCmd = fs.existsSync(npx) ? npx : "npx";
L14: return `#!/bin/sh
L15: ${CRON_MARKER}
...
L21: export function setupAutoUpdate() {
L22: if (process.env.SH_NO_SCHEDULE) return null; // testes e CI
L23: fs.mkdirSync(CONFIG_DIR, { recursive: true });
...
L45: try {
L46: execFileSync("launchctl", ["unload", plist], { stdio: "ignore" });
L47: } catch {}
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
src/scheduler.jsView on unpkg · L3Findings
3 High3 Medium3 Low
HighChild Processsrc/scheduler.js
HighShell
HighRuntime Package Installsrc/scheduler.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/scheduler.js
LowFilesystem
LowUrl Strings
LowNo License