registry  /  @meetopenbot/claude-code  /  0.1.7

@meetopenbot/claude-code@0.1.7

Claude Code plugin for OpenBot

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time or import-time attack surface was found. The package exposes a user-invoked OpenBot plugin that runs Claude Code with broad workspace capabilities by default.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
OpenBot agent invocation after enabling/configuring the plugin
Impact
Claude Code may read, edit, and run shell commands in the channel workspace as part of intended plugin behavior.
Mechanism
user-invoked Claude Code agent runtime with default bypassPermissions
Rationale
Static inspection shows a Claude Code OpenBot plugin with dangerous but package-aligned, user-invoked agent capabilities and no unconsented lifecycle mutation, credential exfiltration, or arbitrary remote payload behavior. The default bypassPermissions setting creates real dual-use risk, so warn rather than block.
Evidence
package.jsondist/index.js
Network endpoints4
api.anthropic.complatform.claude.comclaude.commcp-proxy.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js imports execSync and uses `which claude`/`where claude` to locate a Claude executable.
  • dist/index.js invokes Anthropic Claude Agent SDK on `agent:invoke`, spawning Claude Code with workspace cwd and user prompt.
  • dist/index.js plugin config defaults `permissionMode` to `bypassPermissions`, enabling broad agent file/shell capability when invoked.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script.
  • dist/index.js exported default is a first-party OpenBot plugin definition; behavior is runtime/user-invoked, not install-time.
  • API key collection is via an explicit UI widget and stored through `storage.createVariable(... secret: true)`, not sent to an arbitrary endpoint.
  • Network endpoints observed are Anthropic/Claude SDK endpoints such as `https://api.anthropic.com`, `https://platform.claude.com`, and `https://claude.com`.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 938 KB of source, external domains: api.anthropic.com, beacon.claude-ai.staging.ant.dev, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, console.anthropic.com, docs.anthropic.com, docs.expo.dev, github.com, hooks.example.com, json-schema.org, json.schemastore.org, mcp-proxy.anthropic.com, platform.claude.com, raw.githubusercontent.com, reviews.example.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
1// runtime.ts L2: import { execSync } from "node:child_process"; L3: import { existsSync as existsSync2, readlinkSync as readlinkSync2, statSync as statSync2 } from "node:fs"; ... L2025: Object.defineProperty(uj, "__esModule", { value: true }); L2026: var K6 = Q$(), Dd = { data: new K6.Name("data"), valCxt: new K6.Name("valCxt"), instancePath: new K6.Name("instancePath"), parentData: new K6.Name("parentData"), parentDataProperty... L2027: uj.default = Dd; ... L2617: function M(A) { L2618: let k = this.opts.uriResolver.resolve; L2619: if (A = D9(D ? k(D, A) : A), H.has(A)) throw V(A); ... L3360: } L3361: var Ir = Array.from({ length: 127 }, ($, Q) => /[^!"$&'()*+,\-.;=_`a-z{}~]/u.test(String.fromCharCode(Q))); L3362: function Rr($) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/index.js L1: // runtime.ts L2: import { execSync } from "node:child_process"; L3: import { existsSync as existsSync2, readlinkSync as readlinkSync2, statSync as statSync2 } from "node:fs"; ... L2025: Object.defineProperty(uj, "__esModule", { value: true }); L2026: var K6 = Q$(), Dd = { data: new K6.Name("data"), valCxt: new K6.Name("valCxt"), instancePath: new K6.Name("instancePath"), parentData: new K6.Name("parentData"), parentDataProperty... L2027: uj.default = Dd; ... L2617: function M(A) { L2618: let k = this.opts.uriResolver.resolve; L2619: if (A = D9(D ? k(D, A) : A), H.has(A)) throw V(A); ... L3360: } L3361: var Ir = Array.from({ length: 127 }, ($, Q) => /[^!"$&'()*+,\-.;=_`a-z{}~]/u.test(String.fromCharCode(Q))); L3362: function Rr($) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
1// runtime.ts L2: import { execSync } from "node:child_process"; L3: import { existsSync as existsSync2, readlinkSync as readlinkSync2, statSync as statSync2 } from "node:fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
18649var UF$ = _(() => pV.enum(eJ)); L18650: var _E = ["bash", "powershell"]; L18651: var $X = _(() => K.string().optional().describe('Permission rule syntax to filter when this hook runs (e.g., "Bash(git *)"). Only runs if the tool call matches the pattern. Avoids ...
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L18649
12252try { L12253: return new Function(""), true; L12254: } catch ($) {
High
Eval

Package source references dynamic code evaluation.

dist/index.jsView on unpkg · L12252
18897var W$$ = _(() => K.object({ source: QX().describe("Where to fetch the marketplace from"), installLocation: K.string().optional().describe("Local cache path where marketplace manif... L18898: var G$$ = _(() => K.object({ serverName: K.string().regex(/^[a-zA-Z0-9_-]+$/, "Server name can only contain letters, numbers, hyphens, and underscores").optional().describe("Name o... L18899: return cH([$.serverName !== void 0, $.serverCommand !== void 0, $.serverUrl !== void 0], Boolean) === 1; ... L18906: function Wb($) { L18907: return K.object({ $schema: K.literal(dE).optional().describe("JSON Schema reference for Claude Code settings"), apiKeyHelper: K.string().optional().describe("Path to a script that ... L18908: for (let [J, Y] of Object.entries(Q.value)) if (Y.source.source === "settings" && Y.source.name !== J) Q.issues.push({ code: "custom", input: Y.source.name, path: [J, "source", "na...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L18897

Findings

2 Critical4 High3 Medium6 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighEvaldist/index.js
HighSame File Env Network Executiondist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License