AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package uses npm postinstall to mutate the user's global Claude Code control surface. It installs slash-command files and registers a SessionStart command hook in ~/.claude/settings.json.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npx execution that runs postinstall
Impact
Future Claude sessions may execute package-supplied hook code and receive package-shaped instructions/context without an explicit opt-in step.
Mechanism
unconsented lifecycle mutation of Claude Code settings and commands
Policy narrative
On npm lifecycle execution, scripts/postinstall.js creates ~/.claude, copies package skills into ~/.claude/commands, drops hooks/session-start.sh as ~/.claude/curator-hook.sh, and appends a SessionStart command hook to ~/.claude/settings.json. The hook later runs inside Claude Code sessions and emits project protocol, git state, and session log context when .protocol.md exists.
Rationale
Although the payload is product-aligned and lacks network exfiltration, it is lifecycle-triggered and unconditionally rewrites a broad foreign AI-agent control surface under ~/.claude. Under the install-control-surface policy, this is blockable AI-agent control hijack.
Evidence
package.jsonscripts/postinstall.jshooks/session-start.shskills/setup.mdskills/curator-setup.mdskills/curator-open.mdskills/open.md~/.claude/settings.json~/.claude/settings.json.bak~/.claude/curator-hook.sh~/.claude/commands/*.md
Decision evidence
public snapshotAI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json runs postinstall: node scripts/postinstall.js
- scripts/postinstall.js copies skills into ~/.claude/commands/ during install
- scripts/postinstall.js copies hooks/session-start.sh to ~/.claude/curator-hook.sh
- scripts/postinstall.js rewrites ~/.claude/settings.json SessionStart hooks without an install-time consent gate
- Installed SessionStart hook injects .protocol.md, git status/log, and DESIGN.md head into Claude context
Evidence against
- No network fetch or exfiltration endpoint found in package source
- hooks/session-start.sh exits unless .protocol.md exists in the current project
- session_log path handling rejects absolute paths, traversal, and symlink escapes
- Skills instruct manual editing for remoteControlEnabled rather than programmatically enabling it
Behavioral surface
Filesystem
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkghooks/session-start.shView file
•path = hooks/session-start.sh
kind = build_helper
sizeBytes = 3570
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
hooks/session-start.shView on unpkgFindings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperhooks/session-start.sh
LowScripts Present
LowFilesystem