AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a first-party Claude Code team framework installer with explicit user-command setup of agent hooks and project policy files. This creates agent extension lifecycle risk, but no confirmed malicious attack chain.
Static reason
No blocking static signals were detected.
Trigger
User runs `2real-team init` or explicit framework bootstrap commands.
Impact
Claude Code sessions in the target repo may execute bundled Python hooks and enforce/warn on git/GitHub workflows; no exfiltration or unauthorized install-time mutation was found.
Mechanism
Project-scoped Claude Code settings/hooks bootstrap and optional policy hook installation.
Rationale
Static source inspection supports a warning-level first-party agent extension lifecycle risk rather than malware. There is no npm install-time mutation or concrete malicious behavior, so it should not be publish-blocked.
Evidence
package.jsondist/index.jsdist/bootstrap.jsdist/framework-install.jsdist/personas.jsframework/install/bootstrap.pyframework/assets/settings.template.jsonframework/assets/hooks/dispatcher.pyframework/assets/hooks/session_handoff.pyCLAUDE.md.claude/settings.json.claude/framework.config.json.claude/install.config.json.claude/hooks/*.py.claude/lib/*.py.claude/skills/**.claude/team/**ontology/**.git/hooks/pre-push
Network endpoints2
github.com/parametrization/2real-team-frameworkgithub.com/parametrization/2real-team-framework.git
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- `dist/bootstrap.js` user command writes `CLAUDE.md` and `.claude/team`, `.claude/skills` files.
- `dist/framework-install.js` runs bundled `framework/install/bootstrap.py` during `2real-team init`.
- `framework/assets/settings.template.json` wires Claude Code hooks to run `.claude/hooks/*.py` and grants `.claude/**` read/write permissions.
- `framework/install/bootstrap.py` can install a git `pre-push` hook and copy hook/lib/skill assets into target repos.
- Hook modules may call `gh` or git for project policy checks; `dist/personas.js` optionally uses `ANTHROPIC_API_KEY` for AI persona generation.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle scripts.
- Agent/Claude settings mutation is explicit via `2real-team init`, not automatic on npm install/import.
- Writes are scoped to target project files such as `.claude/`, `CLAUDE.md`, `ontology/`, and git hooks.
- No source evidence of credential harvesting, broad home-directory persistence, destructive behavior, or remote payload execution.
- Network behavior is package-aligned: optional Anthropic persona generation and `gh` project metadata checks.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceframework/install/bootstrap.pyView file
•path = framework/install/bootstrap.py
kind = build_helper
sizeBytes = 63770
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
framework/install/bootstrap.pyView on unpkgFindings
3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helperframework/install/bootstrap.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings