registry  /  @pimmesz/afterburner  /  2.12.0

@pimmesz/afterburner@2.12.0

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a local AI-agent automation CLI whose network, shell, scheduler, and file writes are user-invoked and aligned with its documented purpose.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI commands such as `afterburner run-once`, `auth`, `update`, `statusline install`, `schedule install`, or `skill install`.
Impact
Can modify configured repositories and local Claude/Afterburner config when explicitly enabled; no unconsented install-time/import-time execution or credential exfiltration found.
Mechanism
User-configured local automation spawning git/gh/claude/codex and optional notifications.
Rationale
Static inspection confirms the scary primitives are part of a documented, user-invoked local automation tool and not lifecycle/import-time malware. I found no credential harvesting with exfiltration, hidden persistence, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/cli/index.jsdist/chunk-REVVAUKX.jsdist/core/index.jsREADME.mdafterburner.config.example.tsskill/SKILL.md.env.exampleafterburner.config.mjs.afterburner/backlog.jsonl~/.claude/settings.json~/.claude/skills/afterburner/SKILL.md
Network endpoints4
registry.npmjs.orgntfy.shapi.telegram.orggithub.com

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli/index.js exposes user-invoked commands that spawn claude/codex/git/gh and can run configured repo setup/verify commands.
  • dist/cli/index.js update command can run npm/pnpm/yarn/bun global install, but only via explicit `afterburner update`.
  • dist/cli/index.js statusline/skill/schedule commands write Claude/settings or scheduler artifacts, but are explicit CLI subcommands.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; bin is the CLI only.
  • dist/cli/index.js `auth` runs `claude setup-token`, redacts stdout, extracts token, and stores it locally; no source path sends that output to a remote endpoint.
  • dist/chunk-REVVAUKX.js notifications only send run outcome/title/PR URL to configured ntfy/Telegram endpoints, with HTTPS token guards.
  • dist/core/index.js only re-exports library APIs; no import-time command execution observed.
  • README.md and afterburner.config.example.ts document dry-run default, live backend opt-in, PR-only branch behavior, and no telemetry.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 402 KB of source, external domains: api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

8 flagged · loading source
dist/cli/index.jsView file
70L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L70
70Trigger-reachable chain: manifest.bin -> dist/cli/index.js L70: L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L70
matchType = previous_version_dangerous_delta matchedPackage = @pimmesz/afterburner@2.11.0 matchedIdentity = npm:QHBpbW1lc3ovYWZ0ZXJidXJuZXI:2.11.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/index.jsView on unpkg
326// src/cli/commands/auth.ts L327: import { spawn } from "child_process"; L328: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L326
2851if (platform === "win32") { L2852: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L2853: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L2851
2851if (platform === "win32") { L2852: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L2853: } ... L2861: function checkNtfy(config) { L2862: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L2863: const server = config.notify.ntfy.server; L2864: if (hasToken && !server.startsWith("https://")) { L2865: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L2851
2710const results = []; L2711: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L2712: if (version.status !== 0) { ... L2716: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L2717: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L2718: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L2710
70L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L70

Findings

3 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings