registry  /  @hasna/hooks  /  0.3.4

@hasna/hooks@0.3.4

Open source hooks library for AI coding agents - Install safety, quality, and automation hooks with a single command

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent hook manager with explicit commands and MCP tools that can register hooks into agent settings. This is a guarded lifecycle/control-surface risk, but source inspection did not show unconsented install-time hijack or exfiltration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs hooks install/hooks setup/MCP install tools or enables individual hooks
Impact
Can add first-party hook commands to agent settings and execute local formatter/knowledge/notification commands during agent lifecycle events
Mechanism
explicit agent hook registration and user-invoked hook command execution
Rationale
Static source inspection shows explicit hook-management behavior and user-invoked command/network primitives, but the postinstall only creates the package-owned profile directory and does not mutate foreign agent settings. This fits warn-level agent extension lifecycle risk rather than malicious publish blocking.
Evidence
package.jsonbin/index.jsdist/index.jshooks/hook-autoformat/src/hook.tshooks/hook-knowledge-context/src/hook.tshooks/hook-slacknotify/src/hook.tshooks/hook-phonenotify/src/hook.tshooks/hook-packageage/src/hook.ts$HOME/.hasna/hooks/profiles~/.claude/settings.json~/.gemini/settings.json.claude/settings.json.gemini/settings.json.codewith/config.toml
Network endpoints4
registry.npmjs.orgntfy.shlocalhost:<port>/sselocalhost:<port>/mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall, but it only creates $HOME/.hasna/hooks/profiles.
  • bin/index.js install commands can register hooks into ~/.claude/settings.json, ~/.gemini/settings.json, or project settings.
  • bin/index.js exposes MCP tools such as hooks_install/hooks_setup that call installHook.
  • hooks/hook-autoformat/src/hook.ts runs formatters via execSync including bunx prettier/biome on edited files.
  • hooks/hook-knowledge-context/src/hook.ts spawns a configurable knowledge command on agent events.
Evidence against
  • No install-time mutation of Claude/Gemini/Codewith settings found; broad agent config writes require explicit CLI/MCP action.
  • Codewith writes are fragment-only by default and direct writes require --apply-codewith plus --codewith-config.
  • No credential harvesting or hardcoded exfiltration endpoint found in inspected files.
  • Network uses appear package-aligned or user-configured: npm registry checks, ntfy/Slack notifications, local MCP HTTP, optional Postgres storage.
  • Suspicious child_process use is hook functionality triggered by installed hooks, not import-time or postinstall execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 75 file(s), 870 KB of source, external domains: console.anthropic.com, ntfy.sh, registry.npmjs.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = mkdir -p $HOME/.hasna/hooks/profiles 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = mkdir -p $HOME/.hasna/hooks/profiles 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/index.jsView file
628var EventEmitter = __require("events").EventEmitter; L629: var childProcess = __require("child_process"); L630: var path = __require("path");
High
Child Process

Package source references child process execution.

bin/index.jsView on unpkg · L628
1070} L1071: const execArgv = process2.execArgv ?? []; L1072: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

bin/index.jsView on unpkg · L1070
52Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L52: class CommanderError extends Error { L53: constructor(exitCode, code, message) { L54: super(message); ... L628: var EventEmitter = __require("events").EventEmitter; L629: var childProcess = __require("child_process"); L630: var path = __require("path"); ... L673: this._outputConfiguration = { L674: writeOut: (str) => process2.stdout.write(str), L675: writeErr: (str) => process2.stderr.write(str), ... L4068: return codewithConfigPath; L4069: if (target === "codewith" && process.env.HASNA_HOOKS_CODEWITH_CONFIG_PATH) { L4070: return process.env.HASNA_HOOKS_CODEWITH_CONFIG_PATH;
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/index.jsView on unpkg · L52
hooks/hook-autoformat/src/hook.tsView file
8* L9: * - .prettierrc / prettier in package.json → bunx prettier --write <file> L10: * - biome.json → bunx biome format --write <file> ... L17: import { join, extname } from "path"; L18: import { execSync } from "child_process"; L19:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

hooks/hook-autoformat/src/hook.tsView on unpkg · L8
hooks/hook-knowledge-context/src/hook.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @hasna/hooks@0.3.1 matchedIdentity = npm:QGhhc25hL2hvb2tz:0.3.1 similarity = 0.973 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

hooks/hook-knowledge-context/src/hook.tsView on unpkg

Findings

1 Critical5 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltahooks/hook-knowledge-context/src/hook.ts
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/index.js
HighShellbin/index.js
HighEntrypoint Build Divergencebin/index.js
HighRuntime Package Installhooks/hook-autoformat/src/hook.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings