registry  /  2real-team-framework  /  0.5.0

2real-team-framework@0.5.0

Drop-in AI agent team framework for Claude Code projects

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a user-invoked Claude Code team/framework installer. It can intentionally write `.claude` settings, hooks, skills, config, root `CLAUDE.md`, and optionally a git pre-push hook, creating agent extension lifecycle risk but not confirmed malware.

Static reason
No blocking static signals were detected.
Trigger
User runs `2real-team init` or standalone `framework/install/bootstrap.py`.
Impact
Project-local agent behavior and permissions are modified after user command; no unconsented npm install-time mutation or exfiltration confirmed.
Mechanism
explicit project-scoped Claude Code hook and settings installation
Rationale
Source inspection shows explicit, package-aligned agent framework setup with no npm lifecycle hooks or concrete malicious chain. Because it modifies Claude Code control surfaces when invoked, warn rather than block.
Evidence
package.jsondist/index.jsdist/bootstrap.jsdist/framework-install.jsdist/personas.jsframework/install/bootstrap.pyframework/assets/settings.template.jsonCLAUDE.md.claude/settings.json.claude/framework.config.json.claude/install.config.json.claude/hooks/*.claude/lib/*.claude/skills/*.claude/team/*.git/hooks/pre-push
Network endpoints2
github.com/parametrization/2real-team-frameworkwww.python.org/downloads/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • dist/index.js exposes only user-invoked CLI commands; no npm lifecycle hooks in package.json.
  • dist/bootstrap.js `init` writes project `CLAUDE.md` and `.claude/**` scaffolding, then calls runtime installer when hooks are enabled.
  • dist/framework-install.js spawns bundled `framework/install/bootstrap.py` with `--no-team --non-interactive`.
  • framework/assets/settings.template.json wires Claude Code hooks and grants `.claude/**` Read/Edit/Write permissions.
  • framework/install/bootstrap.py can merge `.claude/settings.json`, copy hooks/libs/skills, and optionally install `.git/hooks/pre-push`.
  • dist/personas.js uses `ANTHROPIC_API_KEY` only for explicit `--ai-personas` persona generation via Anthropic SDK.
Evidence against
  • package.json has no preinstall/install/postinstall scripts.
  • No import-time execution beyond CLI setup in dist/index.js.
  • Network/API use is optional and package-aligned persona generation, not credential harvesting.
  • No hardcoded exfiltration endpoint or remote payload fetch found.
  • Claude control-surface writes are under explicit CLI init/bootstrap paths, not unconsented install-time mutation.
  • Installed hooks are local guardrails/dispatchers and fail-open on errors; no stealth persistence observed.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 44.8 KB of source, external domains: www.python.org

Source & flagged code

1 flagged · loading source
framework/install/bootstrap.pyView file
path = framework/install/bootstrap.py kind = build_helper sizeBytes = 72135 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

framework/install/bootstrap.pyView on unpkg

Findings

3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helperframework/install/bootstrap.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings