registry  /  @haposoft/cafekit  /  0.14.0

@haposoft/cafekit@0.14.0

Claude Code-first spec-driven workflow for AI coding assistants. Bundles CafeKit hapo: skills, runtime hooks, agents, and installer scaffolding.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `cafekit` invocation installs project-local Claude/OpenCode agent files. Optional RTK setup downloads and executes a third-party installer, then registers a global Claude hook. Shipped browser tools can execute user-supplied page JavaScript and inject user-provided authentication data.

Static reason
No blocking static signals were detected.
Trigger
User invokes `cafekit`, opts into RTK, or invokes installed Chrome DevTools skill scripts.
Impact
Dangerous dual-use capability and opt-in agent-extension lifecycle risk; no covert malicious chain was confirmed.
Mechanism
User-invoked AI-agent setup, remote shell bootstrap, and browser automation.
Rationale
The package is not confirmed malicious, but it ships high-impact explicit tooling: remote shell bootstrap, global agent-hook setup, credential-backed usage checks, and arbitrary browser-page evaluation. Per policy, these dangerous/agent-extension capabilities warrant a warning rather than a publish block.
Evidence
package.jsonbin/install.jsbin/phases/setup-rtk.jssrc/claude/hooks/usage.cjssrc/claude/hooks/privacy-block.cjssrc/claude/skills/chrome-devtools/scripts/evaluate.js.claude/settings.json.claude/runtime.json.claude/.credentials.json.opencode/opencode.jsonCLAUDE.md
Network endpoints3
raw.githubusercontent.com/rtk-ai/rtk/main/install.shapi.anthropic.com/api/oauth/usageregistry.npmjs.org/@haposoft/cafekit/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/phases/setup-rtk.js` opt-in path pipes a remote GitHub script to `sh` and runs `rtk init -g`.
  • `src/claude/skills/chrome-devtools/scripts/evaluate.js` evaluates caller-supplied JavaScript in a browser page.
  • `src/claude/hooks/usage.cjs` reads Claude OAuth credentials and sends them only to Anthropic's usage API.
  • The explicit installer writes Claude/OpenCode runtime, hooks, and settings into the invoking project.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `bin/install.js` is an explicit `cafekit` CLI entrypoint, not import-time execution.
  • RTK setup requires `--with-rtk` or an interactive confirmation.
  • Credential use is package-aligned: the hook fetches usage data from Anthropic and caches it locally; no third-party exfiltration was found.
  • `src/claude/hooks/privacy-block.cjs` blocks AI-tool access to common secret-file patterns pending user approval.
  • No binary payloads or hidden executable artifacts were found in the inspected package files.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 81 file(s), 554 KB of source, external domains: api.anthropic.com, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

7 flagged · loading source
src/claude/skills/chrome-devtools/scripts/evaluate.jsView file
32// eslint-disable-next-line no-eval L33: return await eval(`(async () => { return ${script}; })()`); L34: }, args.script);
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/claude/skills/chrome-devtools/scripts/evaluate.jsView on unpkg · L32
src/claude/hooks/state.cjsView file
23const crypto = require('crypto'); L24: const { execSync } = require('child_process'); L25: const { parseTranscript } = require('./lib/parser.cjs'); ... L41: const hash = crypto.createHash('md5').update(cwd).digest('hex').slice(0, 12); L42: const global = path.join(os.homedir(), '.claude', 'session-states', hash); L43: if (!fs.existsSync(global)) fs.mkdirSync(global, { recursive: true }); ... L108: timestamp: new Date().toISOString(), L109: branch: process.env.GIT_BRANCH || '', L110: todos: [], ... L216: L217: const data = JSON.parse(stdin); L218: const event = data.hook_event_name || '';
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/claude/hooks/state.cjsView on unpkg · L23
src/claude/skills/ui-ux-pro-max/scripts/design_system.pyView file
path = src/claude/skills/ui-ux-pro-max/scripts/design_system.py kind = build_helper sizeBytes = 43614 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/claude/skills/ui-ux-pro-max/scripts/design_system.pyView on unpkg
src/claude/skills/devops/scripts/tests/test_docker_optimize.pyView file
path = [redacted]test_docker_optimize.py kind = payload_in_excluded_dir sizeBytes = 12969 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

src/claude/skills/devops/scripts/tests/test_docker_optimize.pyView on unpkg
src/claude/skills/backend-development/references/backend-testing.mdView file
60patternName = generic_password severity = medium line = 60 matchedText = const us...' };
Medium
Secret Pattern

Hardcoded password in src/claude/skills/backend-development/references/backend-testing.md

src/claude/skills/backend-development/references/backend-testing.mdView on unpkg · L60
src/claude/skills/web-testing/references/api-testing.mdView file
13patternName = generic_password severity = medium line = 13 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in src/claude/skills/web-testing/references/api-testing.md

src/claude/skills/web-testing/references/api-testing.mdView on unpkg · L13
src/claude/skills/web-testing/references/load-testing-k6.mdView file
54patternName = generic_password severity = medium line = 54 matchedText = email: '...rd',
Medium
Secret Pattern

Hardcoded password in src/claude/skills/web-testing/references/load-testing-k6.md

src/claude/skills/web-testing/references/load-testing-k6.mdView on unpkg · L54

Findings

1 High7 Medium6 Low
HighPayload In Excluded Dirsrc/claude/skills/devops/scripts/tests/test_docker_optimize.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersrc/claude/skills/ui-ux-pro-max/scripts/design_system.py
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/claude/skills/backend-development/references/backend-testing.md
MediumSecret Patternsrc/claude/skills/web-testing/references/api-testing.md
MediumSecret Patternsrc/claude/skills/web-testing/references/load-testing-k6.md
LowScripts Present
LowEvalsrc/claude/skills/chrome-devtools/scripts/evaluate.js
LowWeak Cryptosrc/claude/hooks/state.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings