registry  /  @0xmmo/crew  /  0.2.4

@0xmmo/crew@0.2.4

Let Claude Code agents talk to each other: live shared context across sessions and agent-to-agent messaging. Ship features in parallel, no branches, no worktrees.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Global npm install mutates Claude Code's user settings to run this package as a hook on multiple agent events. The hook reads local Claude session metadata/transcript tails and injects cross-session context/messages into Claude Code.

Static reason
One or more suspicious static signals were detected.
Trigger
npm global install lifecycle postinstall, then Claude Code hook events
Impact
Persistent agent control-surface modification and automatic injection of package-generated context into Claude sessions.
Mechanism
unconsented lifecycle registration into foreign AI-agent hooks
Policy narrative
On global npm install, postinstall calls installHook(), which creates or edits Claude Code user settings and adds crew --hook to four hook events. Subsequent Claude events run the package automatically, read other Claude session files/transcripts, drain file-based messages, and emit additionalContext back into the agent.
Rationale
Although the functionality is package-aligned and documented, it lifecycle-mutates a broad Claude Code control surface in the user's home config without an interactive opt-in. Under the install-control-surface policy, this is blockable AI-agent control hijack rather than a mere scanner false positive.
Evidence
package.jsondist/postinstall.jsdist/settings.jsdist/crew.jsdist/mailbox.jshooks/hooks.json.claude-plugin/plugin.json~/.claude/settings.json~/.claude/sessions/*.json~/.claude/projects/**/*.jsonl~/.claude/crew/inbox/**/tmp/crew-hook-*

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node dist/postinstall.js || true
  • dist/postinstall.js auto-runs on global npm install unless CREW_NO_HOOK=1
  • dist/settings.js writes crew --hook into Claude Code user settings hooks
  • Hook is added to SessionStart, UserPromptSubmit, PostToolUse, and Stop
  • dist/crew.js hook reads Claude session metadata/transcripts and injects additionalContext
  • dist/mailbox.js writes and drains ~/.claude/crew/inbox messages into agent context
Evidence against
  • postinstall skips non-global installs
  • README documents the auto hook behavior and uninstall command
  • No network exfiltration code found in dist files
  • No remote code download, eval, or dynamic require found
  • Settings merge refuses unparsable settings instead of clobbering
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 37.8 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem