registry  /  @lineman-io/plugin  /  2.9.18

@lineman-io/plugin@2.9.18

Lineman MCP server — AI-powered code intelligence for Claude Code

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malware behavior was established, but the executable main bundle is obfuscated and the plugin has broad Claude Code hook influence. Runtime hooks can steer tool usage, persist local session/status data, and call Lineman services for compression/analysis.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Claude Code plugin installation/session start or use of registered hooks/MCP tools
Impact
Potential privacy/control-surface risk if obfuscated main differs from disclosed behavior; inspected hook code is package-aligned.
Mechanism
Claude Code hook interception plus cloud API delegation
Attack narrative
If abused, the Claude Code hook surface could alter agent behavior and route source/tool output to a remote service. In this package, the inspected hook sources and README align those capabilities with the advertised Lineman product, but the obfuscated main/bin bundle prevents full confidence that no additional behavior exists.
Rationale
Source inspection found disclosed, package-aligned hook routing, statusline writes, telemetry, and Lineman API calls, with no install-time execution, credential harvesting, persistence outside plugin/config state, or destructive behavior. The obfuscated main/bin entrypoint keeps unresolved risk above clean despite lack of concrete malicious behavior.
Evidence
package.jsonREADME.mdstart.mjsdist/main.jsdist/api-url-guard.jsdist/urls.jshooks/hooks.jsonhooks/session-start.mjshooks/pre-tool-use.mjshooks/post-tool-use.mjshooks/user-prompt-submit.mjshooks/lineman-call.mjs~/.lineman/config.json~/.claude/settings.json~/.claude/lineman-statusline.mjs$CLAUDE_PLUGIN_DATA/*/tmp/lineman/*
Network endpoints4
api-data.lineman.ioapi-app.lineman.iolineman.io/update-manifest.jsonSENTRY_DSN

Decision evidence

public snapshot
AI called this Suspicious at 72.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/main.js is heavily obfuscated and is the package main/bin entrypoint.
  • hooks/session-start.mjs injects agent instructions such as concise-response and Bash/file-exploration restrictions at Claude SessionStart.
  • hooks/core/statusline-install.mjs auto-copies a statusline script and writes ~/.claude/settings.json during SessionStart when enabled.
  • hooks/lineman-call.mjs sends selected content to configured Lineman API with bearer auth.
  • hooks/sentry-hook.mjs can report git remote/branch/sha metadata to Sentry when SENTRY_DSN is set.
Evidence against
  • package.json has no npm lifecycle install/postinstall scripts.
  • README.md discloses Claude Code plugin hooks, secondary-LLM routing, API endpoints, statusline install, and telemetry.
  • API URL guard restricts service URLs to *.lineman.io or localhost unless explicitly overridden.
  • hooks/user-prompt-submit.mjs records prompt-derived session events locally and spawns package child scripts for package-aligned cost/compaction work.
  • Credential use appears limited to Lineman auth tokens from config/env for package service calls.
  • No destructive filesystem behavior found; writes are config/status/session/cache files aligned with plugin operation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 92 file(s), 589 KB of source, external domains: api-app-staging.lineman.io, api-app.lineman.io, api-data-staging.lineman.io, api-data.lineman.io, api.lineman.io, auth.staging.lineman.io, disabled.invalid, lineman.io, nodejs.org
Oversized source lightweight scan
dist/main.js2.11 MB file, sampled 256 KB
NetworkDynamicRequireObfuscatedMinifiedUrlStringsauth.staging.lineman.iodisabled.invalid

Source & flagged code

5 flagged · loading source
start.mjsView file
33// be a file:// URL. pathToFileURL is a no-op-equivalent on POSIX. L34: await import(pathToFileURL(resolve(__dirname, "dist", "main.js")).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

start.mjsView on unpkg · L33
hooks/core/tier3-transport.mjsView file
1import{createHash as e}from"node:crypto";import{platform as r}from"node:os";export function tier3TransportTarget(t){return"win32"===r()?`\\\\.\\pipe\\lineman-tier3-${e("sha1").upda...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

hooks/core/tier3-transport.mjsView on unpkg · L1
dist/main.jsView file
path = dist/main.js kind = oversized_source_file sizeBytes = 2209349 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/main.jsView on unpkg
path = dist/main.js kind = oversized_cli_entrypoint sizeBytes = 2209349 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/main.jsView on unpkg
hooks/user-prompt-submit.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @lineman-io/plugin@2.9.17 matchedIdentity = npm:QGxpbmVtYW4taW8vcGx1Z2lu:2.9.17 similarity = 0.946 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

hooks/user-prompt-submit.mjsView on unpkg

Findings

1 Critical2 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltahooks/user-prompt-submit.mjs
HighObfuscated
HighOversized Source Filedist/main.js
MediumDynamic Requirestart.mjs
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/main.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptohooks/core/tier3-transport.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License