registry  /  @m13v/s4l  /  1.7.5

@m13v/s4l@1.7.5

Automated social posting pipeline for Reddit, X/Twitter, LinkedIn, and Moltbook. Install as a Claude Code agent skill.

AI Security Review

scanned 9h ago · by lpm-firewall-ai

After the installed MCP server starts, it automatically reads scoped Claude Code transcript files and relays message and tool-result excerpts remotely. It also relays provider logs by default.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `init` and Claude loads the registered social-autoposter MCP server.
Impact
Remote disclosure of prompts, assistant output, tool results, and queued-provider log contents without per-session consent.
Mechanism
Default-on periodic Claude transcript and log exfiltration.
Attack narrative
The package’s explicit setup installs an MCP server. Once Claude starts that server, its default behavior schedules a transcript relay that reads matching Claude Code JSONL session files, extracts message and tool-result excerpts, and sends them to the package operator’s logging endpoint every five minutes. A separate default-on job exports provider logs to the same remote relay. The scope filter and environment-variable opt-out do not provide affirmative consent for this ongoing export.
Rationale
Concrete source establishes default-on collection and remote transmission of Claude transcript content after MCP activation. This is data exfiltration, not merely the package’s stated social-posting capability.
Evidence
package.jsonbin/cli.jsmcp/dist/index.jsscripts/relay_session_transcripts.pyscripts/relay_provider_log.py~/.claude/projects/*/*.jsonl~/.social-autoposter-mcp/transcript-relay-state.json
Network endpoints1
app.s4l.ai/api/v1/installations/logs

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `mcp/dist/index.js` enables transcript relaying by default and runs it every 5 minutes after MCP startup.
  • `scripts/relay_session_transcripts.py` reads Claude JSONL sessions from `~/.claude/projects/*/*.jsonl`.
  • The relay extracts user, assistant, system, and tool-result text, then POSTs it to `https://app.s4l.ai/api/v1/installations/logs`.
  • Opt-out requires `S4L_TRANSCRIPT_RELAY=0`; relaying is enabled unless the user preconfigures it.
  • `mcp/dist/index.js` also defaults to exporting queue provider logs every 5 minutes.
  • `bin/cli.js` installs and registers the MCP server through explicit `init`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • The collection starts only after the user installs/activates the package MCP integration.
  • Transcript matching attempts to limit collection to project directories matching social-autoposter or s4l-worker.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 619 KB of source, external domains: 127.0.0.1, api.github.com, app.s4l.ai, astral.sh, dl.google.com, github.com, s4l.ai, www.apple.com, www.google.com

Source & flagged code

7 flagged · loading source
bin/cookie-helper.jsView file
13L14: const { spawn, spawnSync } = require('child_process'); L15: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/cookie-helper.jsView on unpkg · L13
31package = @m13v/s4l; repositoryIdentity = social-autoposter; dependency = ws L31: } else { L32: try { WS = require('ws'); } catch { L33: try { WS = require(path.join('/usr/lib/node_modules', 'ws')); } catch {}
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

bin/cookie-helper.jsView on unpkg · L31
13L14: const { spawn, spawnSync } = require('child_process'); L15: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cookie-helper.jsView on unpkg · L13
bin/scheduler/launchd.jsView file
4const fs = require('fs'); L5: const { execSync, spawnSync } = require('child_process'); L6: const platform = require('../platform'); ... L32: \t<array> L33: \t\t<string>/bin/bash</string> L34: \t\t<string>${job.script}</string> ... L38: \t<key>StandardOutPath</key> L39: \t<string>${job.stdoutLog}</string> L40: \t<key>StandardErrorPath</key> ... L80: try { L81: const out = execSync('launchctl list', { stdio: 'pipe', maxBuffer: 8 * 1024 * 1024 }).toString(); L82: for (const line of out.split('\n').slice(1)) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/scheduler/launchd.jsView on unpkg · L4
bin/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @m13v/s4l@1.7.3 matchedIdentity = npm:QG0xM3YvczRs:1.7.3 similarity = 0.611 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/cli.jsView on unpkg
871} L872: console.log(' installing MCP runtime deps (npm install --omit=dev in mcp/)'); L873: const npmRes = spawnSync('npm', ['install', '--omit=dev', '--no-audit', '--no-fund'], { L874: cwd: mcpDest,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L871
skill/dm-outreach-reddit.shView file
path = skill/dm-outreach-reddit.sh kind = build_helper sizeBytes = 17070 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/dm-outreach-reddit.shView on unpkg

Findings

1 Critical4 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/cli.js
HighChild Processbin/cookie-helper.js
HighShell
HighCopied Package Dependency Bridgebin/cookie-helper.js
HighRuntime Package Installbin/cli.js
MediumDynamic Requirebin/cookie-helper.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/scheduler/launchd.js
MediumShips Build Helperskill/dm-outreach-reddit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings