AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. A first-party Claude plugin installs an advisory PostToolUse lint hook. The hook reads edited source content or the named local source file and prints findings; no confirmed malicious behavior is established.
Decision evidence
public snapshot- `.claude-plugin/plugin.json` defines a Claude plugin.
- `hooks/hooks.json` runs `bin/adia-lint --hook` after Claude Write/Edit actions.
- `.mcp.json` configures `npx -y @adia-ai/a2ui-mcp@0.8.0` for an optional MCP server.
- `package.json` has no lifecycle scripts or JS entrypoints.
- `bin/adia-lint` only reads supplied/source files and emits advisory findings.
- `bin/adia-scaffold` writes templates only when explicitly invoked.
- No child-process, shell, credential harvesting, exfiltration, or destructive operations found in executable files.
Source & flagged code
2 flagged · loading source`.claude-plugin/plugin.json` defines a Claude plugin.
claude-plugin/plugin.jsonView on unpkg`hooks/hooks.json` runs `bin/adia-lint --hook` after Claude Write/Edit actions.
hooks/hooks.jsonView on unpkg