AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/install.js writes ~/.claude/settings.json and .claude/settings.json attribution/env settings on explicit install
- dist/common.js registers Claude SessionStart hooks that write .git/hooks/commit-msg
- dist/common.js SBX wrapper forwards selected AI/GitHub credentials into ghcr.io/buffbirb sandbox containers
- dist/install.js can install tools via curl, uv, npm, brew/apt/dnf/pacman/winget, go, rustup
- dist/common.js creates git hooks and .github/workflows/strip-pr-attribution.yml that mutate commits/PR bodies
- dist/ghapp.js creates/stores GitHub App config and Keychain private key for repo-scoped tokens
- package.json has no preinstall/install/postinstall lifecycle; only prepublishOnly build
- Behavior is exposed through unclaude CLI commands/TUI, not import-time execution
- Network endpoints are documented/package-aligned setup targets, not hidden exfiltration endpoints
- No broad environment harvesting; credential forwarding is limited to sandbox/runtime feature lists
- No eval/vm/native binary payload loading found in inspected dist files
- README documents telemetry, sandbox, token forwarding, and GitHub App behavior
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/common.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/common.jsView on unpkg · L377Source writes installer persistence such as shell profile or service configuration.
dist/common.jsView on unpkg · L1