registry  /  @mamadoudicko/mmt  /  0.1.0

@mamadoudicko/mmt@0.1.0

Compose, reuse, and run your own agent workflows (mini teams). Name them, run them on any task, watch each step.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install automatically mutates the user's Claude Code command surface by installing or updating a /mmt slash command. This is an unconsented postinstall write to a broad AI-agent control surface.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / npx lifecycle postinstall
Impact
Can alter future Claude Code /mmt behavior and agent instructions outside the package directory
Mechanism
postinstall drops Claude slash command and starter agent files into home directories
Policy narrative
On installation, npm runs scripts/postinstall.js. Unless MMT_NO_POSTINSTALL is set, it reads the packaged .claude/commands/mmt.md and writes it into ~/.claude/commands/mmt.md, updating an existing command if contents differ. That command defines runtime instructions for Claude Code subagents and future file writes. The package also seeds package-owned skills and teams under ~/.my-mini-team.
Rationale
Source inspection confirms unconsented install-time mutation of ~/.claude/commands, a broad AI-agent control surface, which meets the firewall block policy even without exfiltration. Other risky primitives appear package-aligned and user-invoked, but they do not offset the install-time control-surface write. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/postinstall.js.claude/commands/mmt.mdbin/mmtlib/runner.jslib/compose.jslib/skills.jslib/store.jsskills/publish-report/SKILL.mdteams/spec-to-prod.team.yaml~/.claude/commands/mmt.md~/.my-mini-team/skills/*/SKILL.md~/.my-mini-team/teams/*.team.yaml~/.my-mini-team/runs/<team>-<ts>.md
Network endpoints3
github.com/mamadoudicko/my-mini-team.gitmamadoudicko.github.io/my-mini-team/github.com/mamadoudicko/my-mini-team/issues

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.js
  • scripts/postinstall.js writes package .claude/commands/mmt.md into ~/.claude/commands/mmt.md during install
  • postinstall also seeds ~/.my-mini-team/skills and ~/.my-mini-team/teams
  • the dropped Claude slash command instructs agent behavior and writes run reports under ~/.my-mini-team/runs
Evidence against
  • postinstall has MMT_NO_POSTINSTALL opt-out and catches errors
  • no credential harvesting or exfiltration found in inspected source
  • no install-time network calls found
  • CLI network/outward action is limited to user-invoked claude/gh flows
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 41.0 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L4: // fresh install behaves exactly like a cloned repo: L5: // - installs the `/mmt` slash command into ~/.claude/commands/ (the runtime L6: // that `mmt run/new/edit` drives inside an interactive Claude Code session), ... L28: try { L29: const src = path.join(pkg, '.claude', 'commands', 'mmt.md'); L30: if (fs.existsSync(src)) { L31: const dstDir = path.join(home, '.claude', 'commands'); L32: const dst = path.join(dstDir, 'mmt.md'); ... L35: if (cur !== next) { L36: fs.mkdirSync(dstDir, { recursive: true }); L37: fs.writeFileSync(dst, next); L38: done.push(cur === null ? 'installed /mmt command' : 'updated /mmt command'); Payload evidence from .claude/commands/mmt.md: L1: --- L2: description: Run (or compose) a my-mini-team workflow as subagents in this session — on your subscription, no claude -p
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1

Findings

1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings