AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a local security/readiness scanner with user-invoked report generation and Claude Code helper setup. The main unresolved risk is first-party AI-agent lifecycle mutation, not malware or install-time compromise.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs shiprun scan or shiprun deploy
Impact
Claude Code may run the package-owned SessionStart hook in the target repo and generated agents may influence future assistant behavior within shiprun-scoped findings.
Mechanism
local scanner writes reports, state, and Claude Code hook/agent helper files
Rationale
Source inspection supports a warning for first-party, user-invoked Claude control-surface setup, but not a publish block. Scanner hits for secrets/network are package-aligned detectors and documentation examples rather than embedded secrets or exfiltration.
Evidence
package.jsondist/cli.jsdist/hook.jsdist/deploy.jsdist/fixer.jsdist/checks/secrets.jsdist/checks/dependencies.jsREADME.mdSHIPRUN.mdshiprun-report/./.shiprun/findings.json./.shiprun/history.jsonl./.shiprun/changelog.md./.claude/settings.json./.claude/hooks/shiprun-context.cjs./.claude/context/shiprun-house-rules.md./.claude/agents/shiprun-fix-*.mdCLAUDE.md./.shiprun/deploy-manifest.json.gitignore.github/workflows/ci.yml.env.example
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/cli.js default scan calls ensureSessionStartHook unless --no-hook is passed.
- dist/hook.js writes .claude/hooks/shiprun-context.cjs and registers it in .claude/settings.json SessionStart.
- dist/deploy.js user-invoked deploy writes .claude/context, .claude/agents, and a managed CLAUDE.md block.
Evidence against
- package.json has no preinstall/install/postinstall; prepare/prepublishOnly only run npm build.
- Generated hook only reads .shiprun/findings.json and history.jsonl, prints a local summary, and has no network code.
- No external network endpoints found; npm audit/git ls-files are scanner checks, not payload download or exfiltration.
- Secret patterns in dist/checks/secrets.js are regex detectors for user project scanning, not embedded credentials.
- Writes are documented CLI behavior for reports, local state, fix scaffolding, and Claude helper files.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcedist/checks/secrets.jsView file
18patternName = private_key_rsa
severity = critical
line = 18
matchedText = { name: .../ },
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/checks/secrets.jsView on unpkg · L1818patternName = private_key_rsa
severity = critical
line = 18
matchedText = { name: .../ },
Critical
Findings
2 Critical2 Medium4 Low
CriticalCritical Secretdist/checks/secrets.js
CriticalSecret Patterndist/checks/secrets.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings