AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. At application runtime, VibeMon can offer to install integration hooks into supported AI-tool directories. On user acceptance, it executes a remotely downloaded Python installer with a VibeMon token.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User launches the Electron app and clicks “Install” in the hook prompt, or explicitly selects hook installation.
Impact
The remote installer can modify supported AI-tool hook/extension locations and receives the configured VibeMon token.
Mechanism
User-confirmed remote Python hook installer for AI-agent directories.
Rationale
Source establishes a user-confirmed remote hook installer affecting AI-agent directories, with no npm install-time execution or confirmed malicious chain. Treat as a guarded agent-extension lifecycle risk rather than clean.
Evidence
package.jsonmain.jsmodules/hook-installer.cjsmodules/http-server.cjsmodules/ws-client.cjsshared/config.cjs~/.claude/hooks/vibemon.py~/.codex/hooks/vibemon.py~/.kiro/hooks/vibemon.py~/.openclaw/extensions/vibemon-bridge/index.mjs
Network endpoints2
docs.vibemon.io/install.pywss://ws.vibemon.io
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `modules/hook-installer.cjs` detects `.claude`, `.codex`, `.kiro`, and `.openclaw` installations and their VibeMon hook paths.
- After an Electron runtime prompt accepts “Install,” it downloads `https://docs.vibemon.io/install.py` and pipes it to `python3 - --yes`.
- The installer receives the configured VibeMon token as a `--token` argument; `VIBEMON_DOCS_URL` can override the script host.
- Startup schedules recurring checks that prompt for missing hooks, but no npm lifecycle hook is declared.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle script.
- Hook execution is gated by an Electron dialog or explicit settings/tray action, not package installation.
- The local HTTP server binds only to `127.0.0.1`; CORS allows localhost origins only.
- No source evidence of credential harvesting, destructive file operations, obfuscated payloads, or silent foreign-agent mutation.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceassets/icon.icnsView file
•path = assets/icon.icns
kind = high_entropy_blob
sizeBytes = 23136
magicHex = [redacted]
High
main.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = vibemon@1.16.3
matchedIdentity = npm:dmliZW1vbg:1.16.3
similarity = 0.647
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
main.jsView on unpkgFindings
2 High3 Medium4 Low
HighShips High Entropy Blobassets/icon.icns
HighPrevious Version Dangerous Deltamain.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings