AI Security Review
scanned 13h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package includes an explicit local guard CLI that can install AstraSync-managed git and Claude Code hooks. This is a guarded agent-control integration risk, but not install-time hijacking or confirmed malware.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs astrasync guard install-hooks or astrasync guard install-claude-code.
Impact
Adds first-party AstraSync guard hooks that can ask/deny agent tool actions or run checks before git operations.
Mechanism
explicit CLI hook installation and local policy enforcement
Rationale
Source inspection shows explicit, first-party agent guard setup that mutates Claude Code/git control surfaces only when the user invokes the CLI. Under the policy this warrants a warning for agent extension lifecycle risk, not a publish block.
Evidence
package.jsondist/bin/astrasync-guard.jsdist/bin/astrasync-claude-hook.jsdist/git-trigger/git-hooks.jsdist/claude-code/claude-code-adapter.jsdist/cli/index.jsdist/registration/index.js.git/hooks/pre-push.claude/settings.json.astrasync/policy.yaml.astrasync/guard.json.astrasync/configlocal-policy.yaml
Network endpoints4
astrasync.aiastrasync.ai/apiapi.astrasync.aistaging.astrasync.ai/api
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/bin/astrasync-guard.js exposes explicit user commands install-hooks and install-claude-code that write git hooks and Claude Code PreToolUse hooks.
- dist/bin/astrasync-guard.js can write ~/.claude/settings.json or project .claude/settings.json and .astrasync policy/config files when invoked.
- dist/git-trigger/git-hooks.js writes .git/hooks/pre-push with an npx astrasync guard check command and uses git diff via execSync during hook checks.
Evidence against
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build steps.
- Claude hook setup is explicit CLI action, not automatic install-time mutation.
- dist/bin/astrasync-claude-hook.js evaluates tool payloads against local policy and emits deny/ask decisions; no credential harvesting or exfiltration seen.
- Network calls target package-aligned AstraSync endpoints such as https://astrasync.ai and configured apiBaseUrl verification endpoints.
- No obfuscated payload, eval/new Function, native binary loading, or destructive persistence found in inspected entrypoints.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/bin/astrasync-guard.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @astrasyncai/verification-gateway@3.5.0
matchedIdentity = npm:[redacted]:3.5.0
similarity = 0.732
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/bin/astrasync-guard.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/bin/astrasync-guard.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings