AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a high-privilege Claude gateway with intentional runtime command execution, prompt-file generation, bot APIs, app installs, and self-update features.
Decision evidence
public snapshot- package.json has postinstall running `bun install --cwd mcp`.
- dist/api/router.js spawns `claude --print --dangerously-skip-permissions` for user/admin wizard generation.
- dist/cron/manager.js can execute configured cron commands and deliver stdout to Telegram/Discord.
- dist/index.js writes assembled workspace prompts to agent `CLAUDE.md` and syncs bundled skills to user skill dirs.
- Postinstall only installs the bundled mcp subproject dependencies; no credential read/exfil or agent prompt mutation at install time found.
- Network endpoints are package-aligned: Telegram, Discord, npm registry, GitHub raw app/skill registry, local gateway callbacks.
- Command execution paths are runtime features gated by configured agents, admin API routes, cron jobs, app install, or user channel actions.
- Secret/env reads are for documented gateway config and bot tokens under ~/.claude-gateway, not harvested to an attacker endpoint.
- README documents the Claude gateway, channels, app store, cron, self-update, and CLAUDE.md generation behavior.
Source & flagged code
7 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
dist/discord/receiver.jsView on unpkg · L36Source executes local commands and sends command output to an external endpoint.
dist/api/router.jsView on unpkg · L42A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/api/router.jsView on unpkg · L42A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/api/router.jsView on unpkg · L81Package source invokes a package manager install command at runtime.
dist/api/packages.jsView on unpkg · L192