AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a user-invoked Claude Code team/framework installer. It can intentionally write `.claude` settings, hooks, skills, config, root `CLAUDE.md`, and optionally a git pre-push hook, creating agent extension lifecycle risk but not confirmed malware.
Static reason
No blocking static signals were detected.
Trigger
User runs `2real-team init` or standalone `framework/install/bootstrap.py`.
Impact
Project-local agent behavior and permissions are modified after user command; no unconsented npm install-time mutation or exfiltration confirmed.
Mechanism
explicit project-scoped Claude Code hook and settings installation
Rationale
Source inspection shows explicit, package-aligned agent framework setup with no npm lifecycle hooks or concrete malicious chain. Because it modifies Claude Code control surfaces when invoked, warn rather than block.
Evidence
package.jsondist/index.jsdist/bootstrap.jsdist/framework-install.jsdist/personas.jsframework/install/bootstrap.pyframework/assets/settings.template.jsonCLAUDE.md.claude/settings.json.claude/framework.config.json.claude/install.config.json.claude/hooks/*.claude/lib/*.claude/skills/*.claude/team/*.git/hooks/pre-push
Network endpoints2
github.com/parametrization/2real-team-frameworkwww.python.org/downloads/
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- dist/index.js exposes only user-invoked CLI commands; no npm lifecycle hooks in package.json.
- dist/bootstrap.js `init` writes project `CLAUDE.md` and `.claude/**` scaffolding, then calls runtime installer when hooks are enabled.
- dist/framework-install.js spawns bundled `framework/install/bootstrap.py` with `--no-team --non-interactive`.
- framework/assets/settings.template.json wires Claude Code hooks and grants `.claude/**` Read/Edit/Write permissions.
- framework/install/bootstrap.py can merge `.claude/settings.json`, copy hooks/libs/skills, and optionally install `.git/hooks/pre-push`.
- dist/personas.js uses `ANTHROPIC_API_KEY` only for explicit `--ai-personas` persona generation via Anthropic SDK.
Evidence against
- package.json has no preinstall/install/postinstall scripts.
- No import-time execution beyond CLI setup in dist/index.js.
- Network/API use is optional and package-aligned persona generation, not credential harvesting.
- No hardcoded exfiltration endpoint or remote payload fetch found.
- Claude control-surface writes are under explicit CLI init/bootstrap paths, not unconsented install-time mutation.
- Installed hooks are local guardrails/dispatchers and fail-open on errors; no stealth persistence observed.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceframework/install/bootstrap.pyView file
•path = framework/install/bootstrap.py
kind = build_helper
sizeBytes = 72135
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
framework/install/bootstrap.pyView on unpkgFindings
3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helperframework/install/bootstrap.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings