registry  /  @goplausible/regent-plugin-claude  /  1.0.0

@goplausible/regent-plugin-claude@1.0.0

Regent channel plugin for Claude Code — connects Claude Code to Regent wallet peers (e.g. Regent) over Liquid Auth (FIDO2) + WebRTC DataChannels.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party Claude Code channel/MCP extension for remote wallet chat, signing, permission relay, and x402 payments. The main unresolved risk is agent-extension lifecycle and delegated approval capability, not confirmed malware.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User installs/enables the Claude plugin, runs /regent:setup or loads hooks, then starts/pairs the channel server.
Impact
Can relay Claude prompts/tool approval requests to a paired wallet user and request wallet signatures/payments; no confirmed unconsented install-time control-surface mutation or exfiltration.
Mechanism
Claude channel MCP server with local hook listener, wallet WebRTC relay, signing/payment tools, and explicit setup of Claude plugin permissions
Rationale
Source inspection shows a guarded, explicit Claude agent extension with broad delegated approval and wallet-signing capabilities, but no npm install-time mutation, stealth persistence, credential theft, or unapproved wallet drain. Per policy this fits warn/suspicious agent extension lifecycle risk rather than publish-block malware.
Evidence
package.jsondist/server.js.mcp.json.claude-plugin/plugin.jsonhooks/hooks.jsoncommands/setup.mdREADME.mdskills/regent/SKILL.md~/.claude/settings.json~/.claude/channels/regent/hook.port~/.claude/channels/regent/agent-key.json~/.claude/channels/regent/
Network endpoints8
liquidauth.goplausible.xyzfacilitator.goplausible.xyz127.0.0.1mainnet-api.4160.nodely.devtestnet-api.4160.nodely.devapi.mainnet-beta.solana.com/api.devnet.solana.comapi.testnet.solana.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • commands/setup.md instructs user-invoked edits to ~/.claude/settings.json enabling channels and allowing mcp__plugin_regent_regent-channel__*.
  • hooks/hooks.json installs Claude hooks that POST prompt/tool events to local 127.0.0.1 hook listener via hook.port.
  • dist/server.js runs an MCP/channel server, writes ~/.claude/channels/regent/hook.port, relays permission_request notifications, and accepts yes/no approvals from wallet chat.
  • dist/server.js exposes signing and x402 payment tools that request wallet approval and can make HTTP requests/pay x402 endpoints after user approval.
  • dist/server.js bundled/minified code is large, but observed behavior is a Claude/Regent channel extension rather than install-time mutation.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; prepublishOnly only cleans, typechecks, and builds before publishing.
  • README.md and skills/regent/SKILL.md state the wallet holds private keys and each signing/payment requires user approval.
  • .mcp.json registers a stdio MCP server through npx for this package rather than stealth persistence.
  • Network endpoints are package-aligned: liquidauth.goplausible.xyz relay, facilitator.goplausible.xyz, chain RPC/explorer URLs, and user-supplied x402 URLs.
  • No source evidence of credential harvesting, shell execution beyond documented Claude hook curl to localhost, destructive filesystem behavior, or remote payload loading.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.83 MB of source, external domains: 127.0.0.1, api.devnet.solana.com, api.mainnet-beta.solana.com, api.testnet.solana.com, developer.mozilla.org, example.x402.goplausible.xyz, facilitator.goplausible.xyz, github.com, json-schema.org, liquidauth.goplausible.xyz, mainnet-api.4160.nodely.dev, raw.githubusercontent.com, regent.io, sola.na, testnet-api.4160.nodely.dev, viem.sh, www.w3.org

Source & flagged code

4 flagged · loading source
dist/server.jsView file
6const __filename = __regentFileURLToPath(import.meta.url); L7: const __dirname = __regentDirname(__filename); L8: var Vpe=Object.create;var I5=Object.defineProperty;var qpe=Object.getOwnPropertyDescriptor;var jpe=Object.getOwnPropertyNames;var Hpe=Object.getPrototypeOf,Kpe=Object.prototype.has... L9: `:""},this._extScope=e,this._scope=new Ja.Scope({parent:e}),this._nodes=[new Wb]}toString(){return this._root.render(this.opts)}name(e){return this._scope.name(e)}scopeName(e){retu... L10: || (${s} == "string" && ${i} && ${i} == +${i})`).assign(a,(0,xn._)`+${i}`);return;case"integer":r.elseIf((0,xn._)`${s} === "boolean" || ${i} === null L11: || (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,xn._)`+${i}`);return;case"boolean":r.elseIf((0,xn._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L12: || ${s} === "boolean" || ${i} === null`).assign(a,(0,xn._)`[${i}]`)}}}function d0e({gen:t,parentData:e,parentDataProperty:n},r){t.if((0,xn._)`${e} !== undefined`,()=>t.assign((0,xn... L13: missingProperty: ${r}, ... L18: ${new this._window.XMLSerializer().serializeToString(f)}`;return typeof Blob>"u"||this._options.jsdom?Buffer.from(E):new Blob([E],{type:x})}
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/server.jsView on unpkg · L6
6Trigger-reachable chain: manifest.bin -> dist/server.js L6: const __filename = __regentFileURLToPath(import.meta.url); L7: const __dirname = __regentDirname(__filename); L8: var Vpe=Object.create;var I5=Object.defineProperty;var qpe=Object.getOwnPropertyDescriptor;var jpe=Object.getOwnPropertyNames;var Hpe=Object.getPrototypeOf,Kpe=Object.prototype.has... L9: `:""},this._extScope=e,this._scope=new Ja.Scope({parent:e}),this._nodes=[new Wb]}toString(){return this._root.render(this.opts)}name(e){return this._scope.name(e)}scopeName(e){retu... L10: || (${s} == "string" && ${i} && ${i} == +${i})`).assign(a,(0,xn._)`+${i}`);return;case"integer":r.elseIf((0,xn._)`${s} === "boolean" || ${i} === null L11: || (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,xn._)`+${i}`);return;case"boolean":r.elseIf((0,xn._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L12: || ${s} === "boolean" || ${i} === null`).assign(a,(0,xn._)`[${i}]`)}}}function d0e({gen:t,parentData:e,parentDataProperty:n},r){t.if((0,xn._)`${e} !== undefined`,()=>t.assign((0,xn... L13: missingProperty: ${r}, ... L18: ${new this._window.XMLSerializer().serializeToString(f)}`;return typeof Blob>"u"||t…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server.jsView on unpkg · L6
11|| (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,xn._)`+${i}`);return;case"boolean":r.elseIf((0,xn._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L12: || ${s} === "boolean" || ${i} === null`).assign(a,(0,xn._)`[${i}]`)}}}function d0e({gen:t,parentData:e,parentDataProperty:n},r){t.if((0,xn._)`${e} !== undefined`,()=>t.assign((0,xn... L13: missingProperty: ${r},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server.jsView on unpkg · L11
6const __filename = __regentFileURLToPath(import.meta.url); L7: const __dirname = __regentDirname(__filename); L8: var Vpe=Object.create;var I5=Object.defineProperty;var qpe=Object.getOwnPropertyDescriptor;var jpe=Object.getOwnPropertyNames;var Hpe=Object.getPrototypeOf,Kpe=Object.prototype.has... L9: `:""},this._extScope=e,this._scope=new Ja.Scope({parent:e}),this._nodes=[new Wb]}toString(){return this._root.render(this.opts)}name(e){return this._scope.name(e)}scopeName(e){retu... L10: || (${s} == "string" && ${i} && ${i} == +${i})`).assign(a,(0,xn._)`+${i}`);return;case"integer":r.elseIf((0,xn._)`${s} === "boolean" || ${i} === null L11: || (${s} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(a,(0,xn._)`+${i}`);return;case"boolean":r.elseIf((0,xn._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L12: || ${s} === "boolean" || ${i} === null`).assign(a,(0,xn._)`[${i}]`)}}}function d0e({gen:t,parentData:e,parentDataProperty:n},r){t.if((0,xn._)`${e} !== undefined`,()=>t.assign((0,xn... L13: missingProperty: ${r}, ... L18: ${new this._window.XMLSerializer().serializeToString(f)}`;return typeof Blob>"u"||this._options.jsdom?Buffer.from(E):new Blob([E],{type:x})}
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server.jsView on unpkg · L6

Findings

2 Critical1 High4 Medium8 Low
CriticalWallet Draindist/server.js
CriticalTrigger Reachable Dangerous Capabilitydist/server.js
HighObfuscated
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/server.js
LowWeak Cryptodist/server.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings