registry  /  @iterate.ai/agentone-token-compression  /  1.1.14

@iterate.ai/agentone-token-compression@1.1.14

AgentOne Token Compression by Iterate.ai. One npm install gives you 40–90% token savings in Claude Code, Claude CLI, and Claude Desktop. Compresses tool outputs, prompts, file reads, and conversation context. Mask-union architecture protects API keys, UUI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time execution occurs. Explicit CLI setup commands modify first-party AgentOne/Claude extension configuration and install hooks that process Claude input locally. No confirmed exfiltration or remote execution path was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `agentone-tc install`, `install-desktop`, or starts the MCP/hooks.
Impact
Configured hooks can transform Claude prompts and tool output; setup changes Claude configuration and launches package-owned local code in future Claude sessions.
Mechanism
User-invoked Claude hook/MCP extension setup with local cache persistence.
Rationale
Source establishes real, user-invoked AI-agent configuration mutation and persistent hook installation, warranting a warning. It does not establish malicious behavior because there are no lifecycle hooks, network clients, shell execution paths, or concrete exfiltration chain.
Evidence
package.jsoncli/agentone-tc.jsmcp-server/index.jssettings.jsonscripts/set-statusline.jshooks/compress-tool-output.jshooks/compress-prompt.jshooks/session-start.jshooks/session-end.jshooks/statusline.js~/.claude/settings.json~/.claude/plugins/agentone-token-compression/Claude Desktop/claude_desktop_config.json

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `install` copies hooks, commands, and a skill into `~/.claude`.
  • `install` merges package hook commands into `~/.claude/settings.json`.
  • `install-desktop` writes this package's MCP entry to Claude Desktop config.
  • MCP persists compressed-body/cache data under its package data directory.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle scripts.
  • No network client, shell execution, eval, or remote payload loader found.
  • MCP accepts local stdio JSON-RPC and exposes compression/statistics tools.
  • Dynamic require is limited to fixed package-local MCP/stat script candidates.
  • Unicode finding is an intentional zero-width-character sanitization regex.
  • SHA-1 is only used to derive short local body-store identifiers.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 1.63 MB of source, external domains: github.com, iterate.ai

Source & flagged code

3 flagged · loading source
mcp-server/index.jsView file
616contains invisible/control Unicode U+200B (zero width space) var ZERO_WIDTH = /[<U+200B>-<U+200D><U+FEFF><U+2060>]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

mcp-server/index.jsView on unpkg · L616
4var __getOwnPropNames = Object.getOwnPropertyNames; L5: var __commonJS = (cb, mod) => function __require() { L6: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

mcp-server/index.jsView on unpkg · L4
24try { L25: JSON.parse(trimmed); L26: return "json"; ... L115: const replaced = replaceStrings(value, refMap); L116: return { __refs: refs, data: replaced }; L117: } ... L404: if (/^\s*(?:fn\s+\w+\s*\(|let\s+mut|use\s+\w+::)/m.test(text)) return "rust"; L405: if (/^\s*(?:public\s+class|private\s+\w|protected\s+\w)/m.test(text)) return "java"; L406: if (/^#!\/(?:usr\/)?bin\/(?:bash|sh|zsh)/.test(text)) return "shell"; ... L4294: } catch (e) { L4295: const fallback = path2.resolve(__dirname, "..", "..", "nodejs_optimizer", "src", "index.js"); L4296: const lib = require(fallback);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

mcp-server/index.jsView on unpkg · L24

Findings

1 Critical3 Medium4 Low
CriticalTrojan Source Unicodemcp-server/index.js
MediumDynamic Requiremcp-server/index.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowWeak Cryptomcp-server/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings