AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time or import-time attack surface was found. The package exposes a user-invoked OpenBot plugin that runs Claude Code with broad workspace capabilities by default.
Decision evidence
public snapshot- dist/index.js imports execSync and uses `which claude`/`where claude` to locate a Claude executable.
- dist/index.js invokes Anthropic Claude Agent SDK on `agent:invoke`, spawning Claude Code with workspace cwd and user prompt.
- dist/index.js plugin config defaults `permissionMode` to `bypassPermissions`, enabling broad agent file/shell capability when invoked.
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script.
- dist/index.js exported default is a first-party OpenBot plugin definition; behavior is runtime/user-invoked, not install-time.
- API key collection is via an explicit UI widget and stored through `storage.createVariable(... secret: true)`, not sent to an arbitrary endpoint.
- Network endpoints observed are Anthropic/Claude SDK endpoints such as `https://api.anthropic.com`, `https://platform.claude.com`, and `https://claude.com`.
Source & flagged code
6 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L18897