registry  /  @0xmmo/crew  /  0.1.4

@0xmmo/crew@0.1.4

Shared context for Claude Code agents — auto-injects what your other running sessions are doing into every session's context via hooks. Also a CLI to watch them yourself.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Global npm install mutates Claude Code user settings to register a package command hook. The hook reads other Claude sessions and injects transcript context into future Claude sessions.

Static reason
One or more suspicious static signals were detected.
Trigger
npm global install postinstall; later Claude Code SessionStart/UserPromptSubmit hooks
Impact
Unconsented modification of a broad AI-agent control surface and automatic cross-session context injection
Mechanism
lifecycle-installed Claude Code hook
Policy narrative
On global npm install, postinstall checks npm global flags then updates Claude Code settings to add `crew --hook` for SessionStart and UserPromptSubmit. When Claude invokes the hook, the package reads local Claude session metadata and transcripts, then emits that content as additionalContext into another Claude session.
Rationale
Although product-aligned and documented, the package uses an npm lifecycle hook to mutate Claude Code user settings and install an agent hook without an explicit install command. Under the firewall policy this unconsented lifecycle mutation of a foreign AI-agent control surface is blockable.
Evidence
package.jsondist/postinstall.jsdist/settings.jsdist/crew.jsREADME.md~/.claude/settings.json$CLAUDE_CONFIG_DIR/settings.json$CLAUDE_HOME/settings.json~/.claude/sessions/*.json~/.claude/projects/**/*.jsonl/tmp/crew-hook-*

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node dist/postinstall.js || true
  • dist/postinstall.js runs on global npm install and calls installHook unless CREW_NO_HOOK=1
  • dist/settings.js writes crew --hook into Claude Code SessionStart and UserPromptSubmit hooks in settings.json
  • dist/crew.js hook reads ~/.claude sessions/projects transcripts and emits additionalContext to Claude
Evidence against
  • postinstall is guarded to global npm installs and has CREW_NO_HOOK opt-out
  • No network fetch/exfiltration endpoints found
  • CLI includes uninstall-hook and merges settings without clobbering unparsable JSON
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 23.8 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem