AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. First-party Meetless integration for Claude Code installs hooks, MCP config, skills, local queues/logs, and optional prompt/context telemetry for activated workspaces. This is a sensitive agent-extension surface but source inspection did not show hidden install-time execution or a malicious chain.
Decision evidence
public snapshot- dist/lib/config.js defines Meetless endpoints: control.meetless.ai, intel.meetless.ai, app.meetless.ai.
- dist/hooks-template/user-prompt-submit.sh captures prompts in activated workspaces and can call intel /v1/ask.
- dist/lib/wire.js writes Claude Code hooks, MCP config, skills, agents, and a CLAUDE.md rules block.
- package.json has no preinstall/install/postinstall lifecycle hooks; only user-invoked bin dist/cli.js.
- dist/commands/init.js and dist/commands/rewire.js make setup explicit via mla init/rewire, with opt-outs for hooks/MCP/project rules.
- Hooks are gated on .meetless.json activation or fail-soft no-op behavior; CE0 hooks emit {} and do not block turns.
- Network behavior is package-aligned Meetless telemetry/governance/update traffic, not arbitrary exfiltration.
- dist/connectors/claude-code/plugin-detect.js only inspects local claude plugin list and fails safe.
- dist/lib/spool.js queue cleanup is age-gated and limited to recognized Meetless queue artifacts.
Source & flagged code
4 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/commands/ask.jsView on unpkg · L100Package source references dynamic require/import behavior.
dist/connectors/claude-code/plugin-detect.jsView on unpkg · L58Package ships non-JavaScript build or shell helper files.
dist/hooks-template/user-prompt-submit.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/lib/spool.jsView on unpkg