AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time code mutates the user's global Claude Code control surface. It drops commands/hooks under ~/.claude and registers a SessionStart hook in ~/.claude/settings.json without a separate runtime consent gate.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npx @eldestar/curator
Impact
Future Claude Code sessions can execute package-supplied hooks that read project docs/git state and inject instructions/context into the agent session.
Mechanism
unconsented lifecycle mutation of Claude Code hooks
Policy narrative
On install, the package copies its Claude command and hook assets into the user's home Claude directory, then edits ~/.claude/settings.json so Claude Code SessionStart runs the copied hook. That hook reads project-controlled .protocol.md plus local project docs and git state and emits context into the agent session. This is product-aligned behavior, but it is delivered through an npm lifecycle hook into a broad foreign AI-agent control surface without explicit consent at the point of mutation.
Rationale
The package's core behavior is an install-time rewrite of Claude Code's global hooks/settings, which matches the blockable AI-agent control-hijack policy even though no classic malware or network exfiltration was found. The absence of network and secret harvesting reduces traditional malware indicators but does not neutralize the unconsented lifecycle control-surface mutation.
Evidence
package.jsonscripts/postinstall.jshooks/session-start.shhooks/stop.shhooks/curator-adapters.shskills/curator-setup.md~/.claude/commands/*.md~/.claude/curator-hook.sh~/.claude/curator-stop.sh~/.claude/curator-adapters.sh~/.claude/curator-migrate.js~/.claude/settings.json~/.claude/settings.json.bak
Decision evidence
public snapshotAI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json runs postinstall: node scripts/postinstall.js
- scripts/postinstall.js writes package files into ~/.claude/commands and ~/.claude/curator-*.sh/js
- scripts/postinstall.js rewrites ~/.claude/settings.json hooks.SessionStart to execute ~/.claude/curator-hook.sh
- scripts/postinstall.js also wires hooks.Stop when --enforce is passed
- hooks/session-start.sh injects .protocol.md, git state, and project docs into Claude session context
Evidence against
- No network clients or exfiltration endpoints found
- No eval/vm/Function or dynamic remote code loading found
- Hook exits unless .protocol.md exists in the active project
- Session log path has checks against absolute paths, traversal, and symlink escape
Behavioral surface
ChildProcessCryptoFilesystem
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkghooks/session-start.shView file
•path = hooks/session-start.sh
kind = build_helper
sizeBytes = 5300
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
hooks/session-start.shView on unpkgFindings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperhooks/session-start.sh
LowScripts Present
LowFilesystem