registry  /  @eldestar/curator  /  1.0.1

@eldestar/curator@1.0.1

A portable session-protocol skill for Claude Code — instant orientation, no doc sprawl.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package uses npm postinstall to mutate the user's global Claude Code control surface. It installs slash-command files and registers a SessionStart command hook in ~/.claude/settings.json.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npx execution that runs postinstall
Impact
Future Claude sessions may execute package-supplied hook code and receive package-shaped instructions/context without an explicit opt-in step.
Mechanism
unconsented lifecycle mutation of Claude Code settings and commands
Policy narrative
On npm lifecycle execution, scripts/postinstall.js creates ~/.claude, copies package skills into ~/.claude/commands, drops hooks/session-start.sh as ~/.claude/curator-hook.sh, and appends a SessionStart command hook to ~/.claude/settings.json. The hook later runs inside Claude Code sessions and emits project protocol, git state, and session log context when .protocol.md exists.
Rationale
Although the payload is product-aligned and lacks network exfiltration, it is lifecycle-triggered and unconditionally rewrites a broad foreign AI-agent control surface under ~/.claude. Under the install-control-surface policy, this is blockable AI-agent control hijack.
Evidence
package.jsonscripts/postinstall.jshooks/session-start.shskills/setup.mdskills/curator-setup.mdskills/curator-open.mdskills/open.md~/.claude/settings.json~/.claude/settings.json.bak~/.claude/curator-hook.sh~/.claude/commands/*.md

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js copies skills into ~/.claude/commands/ during install
  • scripts/postinstall.js copies hooks/session-start.sh to ~/.claude/curator-hook.sh
  • scripts/postinstall.js rewrites ~/.claude/settings.json SessionStart hooks without an install-time consent gate
  • Installed SessionStart hook injects .protocol.md, git status/log, and DESIGN.md head into Claude context
Evidence against
  • No network fetch or exfiltration endpoint found in package source
  • hooks/session-start.sh exits unless .protocol.md exists in the current project
  • session_log path handling rejects absolute paths, traversal, and symlink escapes
  • Skills instruct manual editing for remoteControlEnabled rather than programmatically enabling it
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.29 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
hooks/session-start.shView file
path = hooks/session-start.sh kind = build_helper sizeBytes = 3570 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/session-start.shView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperhooks/session-start.sh
LowScripts Present
LowFilesystem