registry  /  @cliphijack/santaclaude  /  1.0.97

@cliphijack/santaclaude@1.0.97

SantaClaude 커넥터 — 클라우드 예약을 내 로컬 Claude(tmux)에 발사

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked daemon persists broad Claude Code hooks and controls a configured tmux/Claude workspace from a remote service. It exports terminal/transcript data and accepts remote skill/control actions. This is a concrete first-party AI-agent extension lifecycle risk, not npm install-time malware.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `santaclaude connect` or starts the saved paired daemon.
Impact
A compromised or malicious SantaClaude service can modify Claude hook configuration, place skills, inject prompts into tmux, and receive captured local session content.
Mechanism
Remote control, data relay, and automatic Claude Code hook/skill installation.
Rationale
Static source inspection confirms explicit, runtime-installed first-party Claude extension persistence plus remote control and data relay. There is no install lifecycle execution or concealed malware chain, so warn rather than block under the stated policy.
Evidence
package.jsonsantaclaude.jshooks/sc-stop.shhooks/sc-notify.shhooks/sc-mdsync.shhooks/mdsync-apply.js~/.santaclaude.json~/.santaclaude/.env~/.santaclaude/hook.json~/.claude/settings.json~/.claude/settings.json.bak~/.claude/skills<project>/CLAUDE.md
Network endpoints2
santaclaude.appapi.notion.com/v1

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `santaclaude.js` remotely receives `ctl` messages and routes them to `runControl`.
  • Runtime auto-installs Stop, Notification, and SessionStart hooks into `~/.claude/settings.json`.
  • The SessionStart hook runs `claude -p`, appends generated rules to project `CLAUDE.md`, and attempts a git commit.
  • The daemon uploads tmux screens, transcript turns, local skill metadata, and outbox files to `https://santaclaude.app`.
  • Remote `skill` commands fetch server-provided files and write them under `~/.claude/skills`.
  • The npx supervisor installs a server-selected `@cliphijack/santaclaude@<target>` version.
Evidence against
  • `package.json` has no lifecycle scripts, so installation alone does not execute the payload.
  • Sensitive behavior activates only after the user runs the paired CLI daemon.
  • No `eval`, VM execution, hidden binary loader, or direct credential theft was found.
  • Hook callbacks use local `127.0.0.1` endpoints with a per-run token.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 259 KB of source, external domains: api.notion.com, mcp.higgsfield.ai, primeradiant.com, santaclaude.app

Source & flagged code

6 flagged · loading source
bundled-superpowers/skills/brainstorming/scripts/server.cjsView file
536const url = companionUrl(); // must carry the key or the gate 403s it L537: const cp = require('child_process'); L538: // Operator-provided launcher: run as given (this env var is trusted operator input).
High
Child Process

Package source references child process execution.

bundled-superpowers/skills/brainstorming/scripts/server.cjsView on unpkg · L536
1const crypto = require('crypto'); L2: const http = require('http'); L3: const fs = require('fs'); ... L12: function computeAcceptKey(clientKey) { L13: return crypto.createHash('sha1').update(clientKey + WS_MAGIC).digest('base64'); L14: } ... L84: L85: const PORT_FILE = process.env.BRAINSTORM_PORT_FILE || null; L86: const randomPort = () => 49152 + Math.floor(Math.random() * 16383); ... L195: try { sessionStorage.setItem('brainstorm-session-key', ${jsonKey}); } catch (e) {} L196: location.replace('/'); L197: </script>
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bundled-superpowers/skills/brainstorming/scripts/server.cjsView on unpkg · L1
santaclaude.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @cliphijack/santaclaude@1.0.95 matchedIdentity = npm:QGNsaXBoaWphY2svc2FudGFjbGF1ZGU:1.0.95 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

santaclaude.jsView on unpkg
38* [당신 손으로 검증] L39: * - 외부 송신부 전체: 이 파일에서 fetch( 를 검색 → 목적지는 우리 워커(DEFAULT_API)와 L40: * api.notion.com(당신→당신 노션) 둘뿐. 제3자 없음. ... L46: */ L47: const { execFileSync } = require('child_process'); L48: const fs = require('fs'); ... L52: const VER = (() => { try { return require('./package.json').version; } catch (e) { return '0'; } })(); L53: const VIA_NPX = __dirname.includes('_npx') || __dirname.includes('npm-cache') || process.env.SC_AUTOUP === '1'; L54:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

santaclaude.jsView on unpkg · L38
70const t0 = Date.now(); L71: const r = spawnSync('npx', ['-y', '@cliphijack/santaclaude@' + spec], { stdio: 'inherit', env: { ...process.env, SC_SUP: '1' } }); L72: const lived = Date.now() - t0;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

santaclaude.jsView on unpkg · L70
bundled-superpowers/skills/systematic-debugging/find-polluter.shView file
path = bundled-superpowers/skills/systematic-debugging/find-polluter.sh kind = build_helper sizeBytes = 1528 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bundled-superpowers/skills/systematic-debugging/find-polluter.shView on unpkg

Findings

1 Critical4 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasantaclaude.js
HighChild Processbundled-superpowers/skills/brainstorming/scripts/server.cjs
HighShell
HighSame File Env Network Executionsantaclaude.js
HighRuntime Package Installsantaclaude.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbundled-superpowers/skills/systematic-debugging/find-polluter.sh
MediumStructural Risk Force Deep Review
LowWeak Cryptobundled-superpowers/skills/brainstorming/scripts/server.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings