AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Global npm install mutates Claude Code user settings to register a package command hook. The hook reads other Claude sessions and injects transcript context into future Claude sessions.
Static reason
One or more suspicious static signals were detected.
Trigger
npm global install postinstall; later Claude Code SessionStart/UserPromptSubmit hooks
Impact
Unconsented modification of a broad AI-agent control surface and automatic cross-session context injection
Mechanism
lifecycle-installed Claude Code hook
Policy narrative
On global npm install, postinstall checks npm global flags then updates Claude Code settings to add `crew --hook` for SessionStart and UserPromptSubmit. When Claude invokes the hook, the package reads local Claude session metadata and transcripts, then emits that content as additionalContext into another Claude session.
Rationale
Although product-aligned and documented, the package uses an npm lifecycle hook to mutate Claude Code user settings and install an agent hook without an explicit install command. Under the firewall policy this unconsented lifecycle mutation of a foreign AI-agent control surface is blockable.
Evidence
package.jsondist/postinstall.jsdist/settings.jsdist/crew.jsREADME.md~/.claude/settings.json$CLAUDE_CONFIG_DIR/settings.json$CLAUDE_HOME/settings.json~/.claude/sessions/*.json~/.claude/projects/**/*.jsonl/tmp/crew-hook-*
Decision evidence
public snapshotAI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json defines postinstall: node dist/postinstall.js || true
- dist/postinstall.js runs on global npm install and calls installHook unless CREW_NO_HOOK=1
- dist/settings.js writes crew --hook into Claude Code SessionStart and UserPromptSubmit hooks in settings.json
- dist/crew.js hook reads ~/.claude sessions/projects transcripts and emits additionalContext to Claude
Evidence against
- postinstall is guarded to global npm installs and has CREW_NO_HOOK opt-out
- No network fetch/exfiltration endpoints found
- CLI includes uninstall-hook and merges settings without clobbering unparsable JSON
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem