registry  /  @creator-notes/cnotes  /  0.24.3

@creator-notes/cnotes@0.24.3

CLI for CreatorNotes — create notes, build canvases, search knowledge from the terminal

AI Security Review

scanned 8h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can install first-party skills and a Claude Code SessionStart hook after explicit user-driven setup. It also refreshes its already-installed skill copies on normal CLI invocation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `cnotes init` and accepts prompts, or invokes package setup/skill commands.
Impact
Adds package-controlled agent instructions and records Claude session metadata locally; no unconsented install-time mutation or exfiltration was confirmed.
Mechanism
User-consented AI-agent extension and session-hook configuration.
Rationale
Source inspection contradicts the scanner's malicious conclusion: the `shell` and package-install behavior is an interactive global-install option, not lifecycle execution. The package warrants a warning for user-consented AI-agent configuration and automatic refresh of previously installed skills, not a publish block.
Evidence
package.jsondist/commands/init.jsdist/lib/install-hook.jsdist/commands/claude-hook.jsdist/lib/install-skill.jsdist/cn.js~/.claude/settings.json~/.claude/settings.json.bak~/.claude/skills/cnotes/SKILL.md~/.codex/skills/cnotes/SKILL.mdCLAUDE_SESSION_FILE

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/lib/install-hook.js` adds a Claude Code `SessionStart` command hook to `~/.claude/settings.json`.
  • `dist/commands/claude-hook.js` stores Claude session ID and cwd in a package state file.
  • `dist/lib/install-skill.js` copies bundled skills into existing Claude/Codex agent skill directories.
  • `dist/commands/init.js` can run `npm install -g @creator-notes/cnotes` after interactive confirmation.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • Agent config, skills, hook, MCP, and global-install actions are reached from explicit CLI commands or interactive `init` prompts.
  • Hook payload handling writes local session metadata only; inspected source shows no exfiltration path.
  • Network client usage targets the configured CreatorNotes server API for the package's note/workspace functions.
  • Dynamic imports in `cnotes.cjs` and `cnotes-mcp.cjs` load fixed local package entrypoints.
  • No inspected source showed eval, remote code download/execution, credential harvesting, or destructive behavior.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 408 KB of source, external domains: ai.google.dev, creatornotes.app, generativelanguage.googleapis.com, nodejs.org

Source & flagged code

5 flagged · loading source
dist/commands/init.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @creator-notes/cnotes@0.24.2 matchedIdentity = npm:QGNyZWF0b3Itbm90ZXMvY25vdGVz:0.24.2 similarity = 0.851 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/init.jsView on unpkg
1import { confirm, select } from "@inquirer/prompts"; L2: import { spawnSync } from "child_process"; L3: import { loadConfig, getServerConfig, setWorkspaceId, } from "../lib/auth-store.js";
High
Child Process

Package source references child process execution.

dist/commands/init.jsView on unpkg · L1
92function installGlobally() { L93: // `shell: true` is required on Windows so npm.cmd resolves correctly. L94: const result = spawnSync("npm", ["install", "-g", "@creator-notes/cnotes"], {
High
Shell

Package source references shell execution.

dist/commands/init.jsView on unpkg · L92
85* Best-effort command prefix for copy-pasteable hints. L86: * Returns "cnotes" when globally installed, otherwise the full npx form — L87: * `npx cnotes` does NOT resolve (the published package is @creator-notes/cnotes). ... L92: function installGlobally() { L93: // `shell: true` is required on Windows so npm.cmd resolves correctly. L94: const result = spawnSync("npm", ["install", "-g", "@creator-notes/cnotes"], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/init.jsView on unpkg · L85
dist/cn.jsView file
3import { Command } from "commander"; L4: const require = createRequire(import.meta.url); L5: const pkg = require("../package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cn.jsView on unpkg · L3

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/init.js
HighChild Processdist/commands/init.js
HighShelldist/commands/init.js
HighRuntime Package Installdist/commands/init.js
MediumDynamic Requiredist/cn.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings