registry  /  @pimmesz/afterburner  /  2.14.0

@pimmesz/afterburner@2.14.0

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an explicit CLI for budget-gated AI agent automation, notifications, scheduling, and updates; risky primitives are user-invoked and aligned with documented functionality.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Manual execution of `afterburner`/`abr` CLI commands.
Impact
No unconsented install-time/import-time execution, credential harvesting, or exfiltration found.
Mechanism
User-configured agent orchestration, notifications, and optional scheduler/statusline setup.
Rationale
Static source inspection shows dangerous primitives, but they are explicit CLI features for the package's stated AI automation purpose with no lifecycle trigger or hidden exfiltration. The scanner findings are explained by user-invoked agent, notification, update, auth, schedule, and statusline workflows rather than malicious behavior.
Evidence
package.jsondist/cli/index.jsdist/chunk-5AFOTJE7.jsdist/core/index.jsskill/SKILL.md.env.exampleafterburner.config.example.tsREADME.md
Network endpoints3
registry.npmjs.orgntfy.shapi.telegram.org

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/chunk-5AFOTJE7.js builds user-invoked Claude/Codex agent runs with child_process and git/gh commands.
  • dist/cli/index.js update command can run npm/pnpm/yarn/bun global update, but only via `afterburner update`.
  • dist/cli/index.js statusline/schedule/auth commands write user config or scheduler files after explicit CLI prompts/commands.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; bin entrypoints are manual CLI commands.
  • dist/core/index.js only re-exports bundled core; no import-time execution observed.
  • Notifier network use is package-aligned and configured: ntfy, Telegram, and npm registry update checks.
  • Agent prompts treat task/issue text as untrusted data and use isolated worktrees plus review/default-branch checks.
  • Secrets are read from documented env vars; ntfy token is only sent over https and agent env strips Anthropic API tokens.
  • skill/SKILL.md is a thin wrapper for explicit afterburner requests, not automatic control-surface mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 410 KB of source, external domains: api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

8 flagged · loading source
dist/cli/index.jsView file
70L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L70
70Trigger-reachable chain: manifest.bin -> dist/cli/index.js L70: L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L70
matchType = previous_version_dangerous_delta matchedPackage = @pimmesz/afterburner@2.12.0 matchedIdentity = npm:QHBpbW1lc3ovYWZ0ZXJidXJuZXI:2.12.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/index.jsView on unpkg
326// src/cli/commands/auth.ts L327: import { spawn } from "child_process"; L328: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L326
3073if (platform === "win32") { L3074: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3075: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L3073
3073if (platform === "win32") { L3074: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3075: } ... L3083: function checkNtfy(config) { L3084: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3085: const server = config.notify.ntfy.server; L3086: if (hasToken && !server.startsWith("https://")) { L3087: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L3073
2932const results = []; L2933: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L2934: if (version.status !== 0) { ... L2938: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L2939: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L2940: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L2932
70L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L70

Findings

3 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings