AI Security Review
scanned 8h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can install first-party skills and a Claude Code SessionStart hook after explicit user-driven setup. It also refreshes its already-installed skill copies on normal CLI invocation.
Decision evidence
public snapshot- `dist/lib/install-hook.js` adds a Claude Code `SessionStart` command hook to `~/.claude/settings.json`.
- `dist/commands/claude-hook.js` stores Claude session ID and cwd in a package state file.
- `dist/lib/install-skill.js` copies bundled skills into existing Claude/Codex agent skill directories.
- `dist/commands/init.js` can run `npm install -g @creator-notes/cnotes` after interactive confirmation.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- Agent config, skills, hook, MCP, and global-install actions are reached from explicit CLI commands or interactive `init` prompts.
- Hook payload handling writes local session metadata only; inspected source shows no exfiltration path.
- Network client usage targets the configured CreatorNotes server API for the package's note/workspace functions.
- Dynamic imports in `cnotes.cjs` and `cnotes-mcp.cjs` load fixed local package entrypoints.
- No inspected source showed eval, remote code download/execution, credential harvesting, or destructive behavior.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands/init.jsView on unpkgPackage source references child process execution.
dist/commands/init.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/commands/init.jsView on unpkg · L85Package source references dynamic require/import behavior.
dist/cn.jsView on unpkg · L3