registry  /  @mamadoudicko/mmt  /  0.1.1

@mamadoudicko/mmt@0.1.1

Compose, reuse, and run your own agent workflows (mini teams). Name them, run them on any task, watch each step.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates Claude Code's user command surface during npm postinstall. This creates or updates a slash command under the user's home directory without an explicit user command.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install or npm install -g of @mamadoudicko/mmt@0.1.1
Impact
Installs package-supplied Claude command instructions into ~/.claude/commands, changing future Claude Code behavior when /mmt is invoked.
Mechanism
unconsented postinstall write to AI-agent control files
Policy narrative
On installation, npm runs scripts/postinstall.js. That script copies the package's .claude/commands/mmt.md into ~/.claude/commands/mmt.md and seeds package skills/teams under ~/.my-mini-team. The installed slash command is then part of Claude Code's command surface and instructs future /mmt sessions to orchestrate subagents and write reports.
Rationale
Static inspection confirms unconsented npm postinstall mutation of a broad foreign AI-agent control surface, which meets the firewall block policy even without credential theft or exfiltration. The behavior is documented and package-aligned, but it occurs automatically at install time rather than via an explicit setup command. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/postinstall.js.claude/commands/mmt.mdbin/mmtlib/compose.jslib/runner.jslib/store.jslib/skills.jsscripts/gen-catalog.js~/.claude/commands/mmt.md~/.my-mini-team/skills/*/SKILL.md~/.my-mini-team/teams/*.team.yaml
Network endpoints4
github.com/mamadoudicko/my-mini-team/tree/main/catalog/github.com/mamadoudicko/my-mini-teammamadoudicko.github.io/my-mini-team/github.com/mamadoudicko/my-mini-team/issues

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.js
  • scripts/postinstall.js writes ~/.claude/commands/mmt.md during install
  • scripts/postinstall.js seeds ~/.my-mini-team/skills and ~/.my-mini-team/teams at install time
  • .claude/commands/mmt.md is an AI-agent slash command that instructs Claude to run subagents and write run reports
Evidence against
  • scripts/postinstall.js has MMT_NO_POSTINSTALL opt-out and catches errors
  • No credential harvesting or network exfiltration found in inspected source
  • Network URLs are repository/homepage/catalog links, not runtime exfil endpoints
  • CLI child_process usage is user-invoked for editor/claude workflows
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 41.0 KB of source, external domains: github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L4: // fresh install behaves exactly like a cloned repo: L5: // - installs the `/mmt` slash command into ~/.claude/commands/ (the runtime L6: // that `mmt run/new/edit` drives inside an interactive Claude Code session), ... L28: try { L29: const src = path.join(pkg, '.claude', 'commands', 'mmt.md'); L30: if (fs.existsSync(src)) { L31: const dstDir = path.join(home, '.claude', 'commands'); L32: const dst = path.join(dstDir, 'mmt.md'); ... L35: if (cur !== next) { L36: fs.mkdirSync(dstDir, { recursive: true }); L37: fs.writeFileSync(dst, next); L38: done.push(cur === null ? 'installed /mmt command' : 'updated /mmt command'); Payload evidence from .claude/commands/mmt.md: L1: --- L2: description: Run (or compose) a my-mini-team workflow as subagents in this session — on your subscription, no claude -p
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
scripts/gen-catalog.jsView file
matchType = normalized_sha256 matchedPackage = @mamadoudicko/mmt@0.1.0 matchedPath = scripts/gen-catalog.js matchedIdentity = npm:QG1hbWFkb3VkaWNrby9tbXQ:0.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/gen-catalog.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 36442998130b20eb signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @mamadoudicko/mmt@0.1.0 matchedPath = scripts/gen-catalog.js matchedIdentity = npm:QG1hbWFkb3VkaWNrby9tbXQ:0.1.0 similarity = 1.000 shingleOverlap = 7 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/gen-catalog.jsView on unpkg

Findings

1 Critical3 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/gen-catalog.js
HighKnown Malware Source Fingerprint Signaturescripts/gen-catalog.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings