AI Security Review
scanned 13h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. At app runtime, VibeMon detects missing hooks for AI tools and prompts to install them. Confirming downloads remote Python source and executes it, potentially changing AI-tool configuration outside the package.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Launch the Electron app, have a supported AI tool without its VibeMon hook, then choose Install.
Impact
A mutable remote script can alter Claude, Codex, Kiro, or OpenClaw hook/extension paths and receives the configured VibeMon token.
Mechanism
User-confirmed remote installer execution for cross-tool hooks.
Rationale
No covert install-time behavior or direct malicious payload is present, but runtime user-confirmed execution of a remote installer can modify foreign AI-agent hook surfaces. Treat as a warning rather than a block because execution requires explicit user confirmation.
Evidence
package.jsonmain.jsmodules/hook-installer.cjsmodules/ws-client.cjsshared/config.cjs~/.claude/hooks/vibemon.py~/.codex/hooks/vibemon.py~/.kiro/hooks/vibemon.py~/.openclaw/extensions/vibemon-bridge/index.mjs
Network endpoints2
docs.vibemon.io/install.pywss://ws.vibemon.io
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `modules/hook-installer.cjs` downloads `https://docs.vibemon.io/install.py` and pipes it to Python.
- Runtime hook setup targets `~/.claude`, `~/.codex`, `~/.kiro`, and `~/.openclaw`.
- `main.js` checks periodically for missing hooks and invokes the installer prompt.
- `shared/config.cjs` permits environment override of the installer base URL.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- Installation requires an Electron confirmation dialog before download/execution.
- Python is spawned with argument arrays and stdin, not a shell.
- HTTP server binds only to `127.0.0.1`; WebSocket is app-configured telemetry.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceassets/icon.icnsView file
•path = assets/icon.icns
kind = high_entropy_blob
sizeBytes = 23136
magicHex = [redacted]
High
modules/hook-installer.cjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = vibemon@1.16.1
matchedIdentity = npm:dmliZW1vbg:1.16.1
similarity = 0.800
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
modules/hook-installer.cjsView on unpkgFindings
2 High3 Medium4 Low
HighShips High Entropy Blobassets/icon.icns
HighPrevious Version Dangerous Deltamodules/hook-installer.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings