AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Global npm install mutates Claude Code's user settings to run this package as a hook on multiple agent events. The hook reads local Claude session metadata/transcript tails and injects cross-session context/messages into Claude Code.
Static reason
One or more suspicious static signals were detected.
Trigger
npm global install lifecycle postinstall, then Claude Code hook events
Impact
Persistent agent control-surface modification and automatic injection of package-generated context into Claude sessions.
Mechanism
unconsented lifecycle registration into foreign AI-agent hooks
Policy narrative
On global npm install, postinstall calls installHook(), which creates or edits Claude Code user settings and adds crew --hook to four hook events. Subsequent Claude events run the package automatically, read other Claude session files/transcripts, drain file-based messages, and emit additionalContext back into the agent.
Rationale
Although the functionality is package-aligned and documented, it lifecycle-mutates a broad Claude Code control surface in the user's home config without an interactive opt-in. Under the install-control-surface policy, this is blockable AI-agent control hijack rather than a mere scanner false positive.
Evidence
package.jsondist/postinstall.jsdist/settings.jsdist/crew.jsdist/mailbox.jshooks/hooks.json.claude-plugin/plugin.json~/.claude/settings.json~/.claude/sessions/*.json~/.claude/projects/**/*.jsonl~/.claude/crew/inbox/**/tmp/crew-hook-*
Decision evidence
public snapshotAI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json defines postinstall: node dist/postinstall.js || true
- dist/postinstall.js auto-runs on global npm install unless CREW_NO_HOOK=1
- dist/settings.js writes crew --hook into Claude Code user settings hooks
- Hook is added to SessionStart, UserPromptSubmit, PostToolUse, and Stop
- dist/crew.js hook reads Claude session metadata/transcripts and injects additionalContext
- dist/mailbox.js writes and drains ~/.claude/crew/inbox messages into agent context
Evidence against
- postinstall skips non-global installs
- README documents the auto hook behavior and uninstall command
- No network exfiltration code found in dist files
- No remote code download, eval, or dynamic require found
- Settings merge refuses unparsable settings instead of clobbering
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem