registry  /  @cliphijack/santaclaude  /  1.0.98

@cliphijack/santaclaude@1.0.98

SantaClaude 커넥터 — 클라우드 예약을 내 로컬 Claude(tmux)에 발사

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Normal CLI runtime persists hooks and bundled skills into the user's global Claude Code configuration. A SessionStart hook can process prior Claude transcripts and autonomously modify and commit project `CLAUDE.md` files.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `santaclaude connect ...` or starts the configured `santaclaude` daemon.
Impact
Broad future Claude-session behavior changes and automated project-file/git mutations; remote service controls prompts sent to the selected tmux pane.
Mechanism
Global Claude hook and skill installation plus token-authenticated remote tmux job injection.
Rationale
Source inspection confirms a real, broad AI-agent extension and autonomous repository mutation path triggered by normal CLI use. Because there are no npm lifecycle hooks or confirmed malicious/exfiltration chain, warn rather than block.
Evidence
package.jsonsantaclaude.jshooks/sc-mdsync.shhooks/mdsync-apply.jshooks/sc-stop.shhooks/sc-notify.sh~/.claude/settings.json~/.claude/settings.json.bak~/.claude/skills~/.claude/projects~/.santaclaude/hook.json~/.santaclaude/sc-stop.sh~/.santaclaude/sc-notify.sh~/.santaclaude/sc-mdsync.shCLAUDE.md
Network endpoints2
santaclaude.appapi.notion.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `santaclaude.js` installs Stop, Notification, and SessionStart hooks into `~/.claude/settings.json` on normal runtime.
  • `hooks/mdsync-apply.js` reads Claude transcripts, invokes `claude -p`, appends generated rules to project `CLAUDE.md`, then attempts a git commit.
  • `santaclaude.js` copies bundled skills into `~/.claude/skills` during each daemon start.
  • Daemon polls `https://santaclaude.app` and injects claimed jobs into configured tmux/Claude panes.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle scripts.
  • The foreign Claude configuration mutation occurs only after the user invokes `santaclaude connect` or runs a saved connector.
  • Network endpoints in executable code are package service `https://santaclaude.app` and direct Notion API calls using local BYOK credentials.
  • No eval, VM execution, hidden binary loading, or confirmed credential exfiltration to an unrelated endpoint was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 265 KB of source, external domains: api.notion.com, mcp.higgsfield.ai, primeradiant.com, santaclaude.app

Source & flagged code

6 flagged · loading source
bundled-superpowers/skills/brainstorming/scripts/server.cjsView file
536const url = companionUrl(); // must carry the key or the gate 403s it L537: const cp = require('child_process'); L538: // Operator-provided launcher: run as given (this env var is trusted operator input).
High
Child Process

Package source references child process execution.

bundled-superpowers/skills/brainstorming/scripts/server.cjsView on unpkg · L536
1const crypto = require('crypto'); L2: const http = require('http'); L3: const fs = require('fs'); ... L12: function computeAcceptKey(clientKey) { L13: return crypto.createHash('sha1').update(clientKey + WS_MAGIC).digest('base64'); L14: } ... L84: L85: const PORT_FILE = process.env.BRAINSTORM_PORT_FILE || null; L86: const randomPort = () => 49152 + Math.floor(Math.random() * 16383); ... L195: try { sessionStorage.setItem('brainstorm-session-key', ${jsonKey}); } catch (e) {} L196: location.replace('/'); L197: </script>
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bundled-superpowers/skills/brainstorming/scripts/server.cjsView on unpkg · L1
santaclaude.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @cliphijack/santaclaude@1.0.97 matchedIdentity = npm:QGNsaXBoaWphY2svc2FudGFjbGF1ZGU:1.0.97 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

santaclaude.jsView on unpkg
38* [당신 손으로 검증] L39: * - 외부 송신부 전체: 이 파일에서 fetch( 를 검색 → 목적지는 우리 워커(DEFAULT_API)와 L40: * api.notion.com(당신→당신 노션) 둘뿐. 제3자 없음. ... L46: */ L47: const { execFileSync } = require('child_process'); L48: const fs = require('fs'); ... L52: const VER = (() => { try { return require('./package.json').version; } catch (e) { return '0'; } })(); L53: const VIA_NPX = __dirname.includes('_npx') || __dirname.includes('npm-cache') || process.env.SC_AUTOUP === '1'; L54:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

santaclaude.jsView on unpkg · L38
70const t0 = Date.now(); L71: const r = spawnSync('npx', ['-y', '@cliphijack/santaclaude@' + spec], { stdio: 'inherit', env: { ...process.env, SC_SUP: '1' } }); L72: const lived = Date.now() - t0;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

santaclaude.jsView on unpkg · L70
bundled-superpowers/skills/systematic-debugging/find-polluter.shView file
path = bundled-superpowers/skills/systematic-debugging/find-polluter.sh kind = build_helper sizeBytes = 1528 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bundled-superpowers/skills/systematic-debugging/find-polluter.shView on unpkg

Findings

1 Critical4 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasantaclaude.js
HighChild Processbundled-superpowers/skills/brainstorming/scripts/server.cjs
HighShell
HighSame File Env Network Executionsantaclaude.js
HighRuntime Package Installsantaclaude.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbundled-superpowers/skills/systematic-debugging/find-polluter.sh
MediumStructural Risk Force Deep Review
LowWeak Cryptobundled-superpowers/skills/brainstorming/scripts/server.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings