registry  /  @pimmesz/afterburner  /  2.15.1

@pimmesz/afterburner@2.15.1

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI automation CLI with user-invoked agent execution, scheduling, notifications, updates, and optional Claude/Codex status integrations.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit CLI commands such as auth, init, schedule install, statusline install, update, run-once, or watch.
Impact
Can run AI agents and configured verification commands in user repos when configured, but no unconsented install/import-time execution or credential exfiltration was found.
Mechanism
User-consented automation and notification features.
Rationale
Scanner findings map to package-aligned, explicit CLI capabilities: AI-agent orchestration, notifications, scheduler installation, statusline integration, and self-update. I found no lifecycle hook, import-time execution, hidden endpoint, arbitrary exfiltration, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/cli/index.jsdist/core/index.jsdist/chunk-K34TPJGR.jsskill/SKILL.mdREADME.md.env.exampleafterburner.config.example.ts
Network endpoints3
ntfy.shapi.telegram.orgregistry.npmjs.org

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall lifecycle hooks; bin points to dist/cli/index.js and main to dist/core/index.js.
    • dist/cli/index.js only parses CLI arguments at runtime; no import-time payload or automatic install-time execution found.
    • dist/cli/index.js auth runs `claude setup-token` only via explicit `afterburner auth`/prompt and stores locally, with stdout token redaction.
    • dist/cli/index.js schedule/statusline writes launchd/systemd/shell/Claude settings only after explicit commands or interactive prompts.
    • dist/chunk-K34TPJGR.js notification fetches go to configured ntfy/Telegram endpoints and send run summaries, not arbitrary command output.
    • dist/cli/index.js update command runs package-manager update only when user invokes `afterburner update`.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 4 file(s), 413 KB of source, external domains: api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

    Source & flagged code

    7 flagged · loading source
    dist/cli/index.jsView file
    70L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
    Critical
    Command Output Exfiltration

    Source executes local commands and sends command output to an external endpoint.

    dist/cli/index.jsView on unpkg · L70
    70Trigger-reachable chain: manifest.bin -> dist/cli/index.js L70: L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cli/index.jsView on unpkg · L70
    326// src/cli/commands/auth.ts L327: import { spawn } from "child_process"; L328: import { createInterface } from "readline";
    High
    Child Process

    Package source references child process execution.

    dist/cli/index.jsView on unpkg · L326
    3084if (platform === "win32") { L3085: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3086: }
    High
    Shell

    Package source references shell execution.

    dist/cli/index.jsView on unpkg · L3084
    3084if (platform === "win32") { L3085: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3086: } ... L3094: function checkNtfy(config) { L3095: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3096: const server = config.notify.ntfy.server; L3097: if (hasToken && !server.startsWith("https://")) { L3098: return {
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/cli/index.jsView on unpkg · L3084
    2943const results = []; L2944: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L2945: if (version.status !== 0) { ... L2949: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L2950: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L2951: });
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/cli/index.jsView on unpkg · L2943
    70L71: // package.json L72: var package_default = { ... L117: type: "git", L118: url: "git+https://github.com/pimmesz/afterburner.git" L119: }, ... L156: // src/cli/ui.ts L157: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L158: var fancy = process.stdout.isTTY === true && !noColor; L159: var fancyErr = process.stderr.isTTY === true && !noColor; L160: var canAnimate = fancyErr && !process.env.CI; L161: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/cli/index.jsView on unpkg · L70

    Findings

    2 Critical4 High4 Medium4 Low
    CriticalCommand Output Exfiltrationdist/cli/index.js
    CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
    HighChild Processdist/cli/index.js
    HighShelldist/cli/index.js
    HighSame File Env Network Executiondist/cli/index.js
    HighRuntime Package Installdist/cli/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/cli/index.js
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings