registry  /  @meiyukichan/openpowers  /  1.0.3

@meiyukichan/openpowers@1.0.3

OpenPowers CLI - plugin-based development toolkit

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit Claude Code extension and local Anthropic-compatible proxy. It mutates Claude settings and installs hooks only through user-invoked CLI commands, creating guarded agent-extension lifecycle risk but no confirmed malicious install-time behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `openpowers init`, `openpowers enable`, or starts the UI/proxy.
Impact
Claude Code hooks can run package scripts during agent events, and API traffic may be routed through the local OpenPowers proxy to configured providers.
Mechanism
First-party Claude plugin setup plus local API proxy/provider switching
Rationale
This is not clean because it deliberately installs Claude Code hooks and mutates Claude settings, which is an agent extension lifecycle risk. It should be downgraded to a warning because those actions are explicit user-command setup with no npm lifecycle hook, hidden exfiltration endpoint, or destructive behavior.
Evidence
package.jsonbin/openpowers.jsdist/commands/init.jsdist/commands/enable.jsdist/server/claude-settings.jsdist/server/anthropic/handler.jsmarketplace/.claude-plugin/plugin.jsonmarketplace/hooks/hooks.jsonmarketplace/scripts/openpowers_hooks.js~/.claude/settings.json~/.openpowers/settings.bak.json~/.openpowers/providers.json~/.openpowers/.openpowers.pid~/.openpowers/sessions/<sessionId>/settings.json
Network endpoints12
localhost:3939localhost:3939/openpowers/mcpapi.anthropic.comapi.deepseek.com/anthropicapi.xiaomimimo.com/anthropictoken-plan-cn.xiaomimimo.com/anthropicopen.bigmodel.cn/api/anthropicapi.z.ai/api/anthropicapi.minimaxi.com/anthropicapi.minimax.io/anthropicapi.moonshot.cn/anthropicapi.kimi.com/coding/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js installs a first-party Claude plugin marketplace via explicit `openpowers init`.
  • marketplace/hooks/hooks.json registers Claude Code hooks that execute marketplace/scripts/openpowers_hooks.js during tool/prompt events.
  • dist/commands/enable.js explicitly writes Claude settings to route Anthropic traffic through local proxy.
  • dist/server/claude-settings.js modifies ~/.claude/settings.json and backs it up under ~/.openpowers.
  • dist/server/anthropic/handler.js forwards requests to user-configured provider baseUrl and logs last message locally.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/openpowers.js only imports CLI registration and parses user-invoked commands.
  • Agent/Claude configuration changes require explicit CLI commands, not package install/import time.
  • Proxy targets come from user-configured or bundled provider templates, not a hidden hardcoded exfiltration host.
  • No credential harvesting beyond storing user-entered provider API keys for the package's proxy function.
  • No destructive file deletion or stealth persistence found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 106 file(s), 1.57 MB of source, external domains: api.anthropic.com, api.builtin.com, api.custom.com, api.deepseek.com, api.example.com, api.test.com, custom.anthropic.example.com, custom.api.com, default.api.com, different.com, example.com, reactjs.org, session.api.com, session.api.example.com, www.anthropic.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/commands/init.jsView file
Published source reference
Medium
Ai Review Evidence

dist/commands/init.js installs a first-party Claude plugin marketplace via explicit `openpowers init`.

dist/commands/init.jsView on unpkg
marketplace/hooks/hooks.jsonView file
Published source reference
Medium
Ai Review Evidence

marketplace/hooks/hooks.json registers Claude Code hooks that execute marketplace/scripts/openpowers_hooks.js during tool/prompt events.

marketplace/hooks/hooks.jsonView on unpkg
dist/commands/enable.jsView file
Published source reference
Medium
Ai Review Evidence

dist/commands/enable.js explicitly writes Claude settings to route Anthropic traffic through local proxy.

dist/commands/enable.jsView on unpkg

Findings

6 Medium6 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumAi Review Evidencedist/commands/init.js
MediumAi Review Evidencemarketplace/hooks/hooks.json
MediumAi Review Evidencedist/commands/enable.js
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License