registry  /  @buffbirb/unclaude  /  1.0.19

@buffbirb/unclaude@1.0.19

An opinionated AI dev tool setup script with a terminal UI. Configure privacy, code intelligence, and tool wrappers for Claude Code and OpenCode.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `unclaude install`, TUI install, `unclaude container-gh-app`, generated `sbx`, or installed git/Claude hooks.
Impact
Can alter Claude/OpenCode behavior, commit/PR content, local shell config, project hooks/workflows, and forward selected credentials into package-owned containers when the user opts in.
Mechanism
explicit CLI mutation of AI-agent configs, git hooks, workflows, sandbox wrappers, and tool installs
Rationale
Source inspection shows a risky but declared setup tool for AI agent privacy/sandbox workflows, activated by user commands rather than npm lifecycle hooks. Under the policy this fits explicit user-command agent config mutation/capability abuse risk, not publish-block malware.
Evidence
package.jsondist/cli.jsdist/install.jsdist/common.jsdist/uninstall.jsdist/ghapp.jsdist/mcp-proxy.jsREADME.md~/.airc~/.zshrc~/.claude/settings.json.claude/settings.json~/.claude/hooks/strip-commit-attribution.sh.claude/hooks/strip-commit-attribution.sh.git/hooks/commit-msg.git/hooks/pre-commit.git/hooks/pre-push.github/workflows/strip-pr-attribution.yml~/.local/bin/sbx~/.local/bin/headroom-start~/.config/opencode/opencode.json~/.config/unclaude/container-github-app.json
Network endpoints8
astral.sh/uv/install.shraw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.shapi.github.comgithub.comgithub.com/buffbirb/unclaudeexample.com/unusedghcr.io/buffbirb/claude-sandboxghcr.io/buffbirb/opencode-sandbox

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/install.js writes ~/.claude/settings.json and .claude/settings.json attribution/env settings on explicit install
  • dist/common.js registers Claude SessionStart hooks that write .git/hooks/commit-msg
  • dist/common.js SBX wrapper forwards selected AI/GitHub credentials into ghcr.io/buffbirb sandbox containers
  • dist/install.js can install tools via curl, uv, npm, brew/apt/dnf/pacman/winget, go, rustup
  • dist/common.js creates git hooks and .github/workflows/strip-pr-attribution.yml that mutate commits/PR bodies
  • dist/ghapp.js creates/stores GitHub App config and Keychain private key for repo-scoped tokens
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle; only prepublishOnly build
  • Behavior is exposed through unclaude CLI commands/TUI, not import-time execution
  • Network endpoints are documented/package-aligned setup targets, not hidden exfiltration endpoints
  • No broad environment harvesting; credential forwarding is limited to sandbox/runtime feature lists
  • No eval/vm/native binary payload loading found in inspected dist files
  • README documents telemetry, sandbox, token forwarding, and GitHub App behavior
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 127 KB of source, external domains: api.github.com, astral.sh, example.com, github.com, raw.githubusercontent.com

Source & flagged code

4 flagged · loading source
dist/mcp-proxy.jsView file
12*/ L13: import { spawn } from 'child_process'; L14: import { createInterface } from 'readline';
High
Child Process

Package source references child process execution.

dist/mcp-proxy.jsView on unpkg · L12
dist/common.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @buffbirb/unclaude@1.0.17 matchedIdentity = npm:QGJ1ZmZiaXJiL3VuY2xhdWRl:1.0.17 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/common.jsView on unpkg
377// sudo never blocks waiting for a password the ink TUI can't deliver. L378: export const SUDO_HINT = `Re-run after caching sudo credentials:\n sudo -v && npx @buffbirb/unclaude@latest install`; L379: export async function sudoRun(args) { L380: return new Promise((resolve, reject) => { L381: const proc = spawn('sudo', ['-n', ...args], { stdio: ['ignore', 'ignore', 'pipe'] }); L382: proc.on('close', c => (c === 0 ? resolve() : reject(new Error(`sudo ${args[0]} failed (${c})`))));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/common.jsView on unpkg · L377
1import { execFile, execFileSync, spawn } from 'child_process'; L2: import { promisify } from 'util'; ... L6: // ── Paths ──────────────────────────────────────────────────────────────────── L7: export const HOME = homedir(); L8: export const AIRC = join(HOME, '.airc'); L9: export const ZSHRC = join(HOME, '.zshrc'); L10: export const CLAUDE_SETTINGS = join(HOME, '.claude', 'settings.json'); ... L138: } L139: if (process.platform === 'darwin' && supported('appleSandbox')) { L140: items.push({ id: 'appleSandbox', label: FEATURE_LABELS.appleSandbox, indent: false }); ... L259: export async function run(cmd, args = []) { L260: const { stdout } = await execFileAsync(cmd, args);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/common.jsView on unpkg · L1

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/common.js
HighChild Processdist/mcp-proxy.js
HighShell
HighRuntime Package Installdist/common.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/common.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings