AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `taskherd install`, configures/runs a task, or starts `taskherd serve`.
Impact
A consenting user can grant scheduled agents broad local execution; the install command modifies the user's Claude integration surface.
Mechanism
Explicit agent integration registration and user-configured command/AI execution.
Rationale
The package is not shown to be malicious, but it performs explicit user-scope AI-agent registration and provides a dangerous scheduled execution capability. Per firewall policy, this merits a warning rather than a block.
Evidence
package.jsonbin/cli.mjsbin/mcp.mjssrc/executor.mjssrc/providers.mjssrc/serve.mjsskill/task
Network endpoints1
127.0.0.1
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `bin/cli.mjs` `taskherd install` registers `taskherd` in Claude's user-scope MCP configuration.
- `bin/cli.mjs` links bundled `skill/task` into the user's Claude skills directory after explicit command invocation.
- `src/providers.mjs` schedules AI CLIs with permissive built-in defaults, including Claude `bypassPermissions` and Copilot `--allow-all-tools`.
- `src/executor.mjs` runs configured command/AI steps via a PTY and writes generated MCP config for scheduled AI runs.
Evidence against
- `package.json` has no preinstall/install/postinstall hook; its only lifecycle script is `prepublishOnly`.
- Agent configuration mutation is confined to the explicit `taskherd install` command and refuses to overwrite a foreign skill link.
- No source evidence of credential harvesting, telemetry, remote payload download, obfuscation, eval, or outbound exfiltration.
- `src/serve.mjs` uses a generated token and the CLI defaults the web console to loopback; shell/GFX access requires explicit flags.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/paths.mjsView file
11export function taskherdHome() {
L12: if (process.env.TASKHERD_HOME) return path.resolve(process.env.TASKHERD_HOME);
L13: return path.join(os.homedir(), '.taskherd');
L14: }
Low
Findings
2 Medium6 Low
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/paths.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings