AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `promper`/`npx promper`, or installs/enables the included Claude plugin hooks.
Impact
Can alter Claude Code behavior and add an external marketplace, but only through user-invoked setup or plugin activation.
Mechanism
Explicit AI-agent skill installation, marketplace bootstrap, and hook-based prompt/edit control.
Rationale
This is not malicious under the install-time blocking boundary because there are no lifecycle scripts or unconsented npm-install mutations. It warrants a warning because explicit setup changes AI-agent configuration and bootstraps an external marketplace.
Evidence
package.jsonbin/promper.mjshooks/hooks.jsonhooks/contract-gate.mjshooks/enrich-spawn.mjshooks/gate-prompt.mjs~/.claude/skills/promper~/.claude/skills/promper-setup~/.claude/skills/prim~/.claude/skills/breakdown~/.claude/plugins/marketplaces/claude-code-workflows~/.invoker/state/promper-decision-<session_id>.json
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `bin/promper.mjs` default command copies four skills into `~/.claude/skills`.
- The same default flow runs `claude plugin marketplace add wshobson/agents` when its marketplace cache is absent.
- `hooks/hooks.json` defines Claude session, prompt, subagent-spawn, and edit-gating hooks.
- `hooks/contract-gate.mjs` can deny in-repo edit tools until a routing-state file exists.
Evidence against
- `package.json` has no preinstall, install, postinstall, prepare, or other lifecycle hook.
- Agent configuration mutation requires an explicit `promper`/`npx promper` invocation.
- Reviewed code has no credential harvesting, HTTP client, payload download, eval, or shell interpolation.
- Child-process use is limited to fixed `claude` marketplace and `git rev-parse` commands.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcehooks/gate-prompt.mjsView file
55try {
L56: ({ countPriorUserTurns, classifyGate } = await import(join(HOOK_DIR, "..", "dist", "gate.js")));
L57: } catch {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
hooks/gate-prompt.mjsView on unpkg · L55Findings
2 Medium3 Low
MediumDynamic Requirehooks/gate-prompt.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings