registry  /  @pimmesz/afterburner  /  2.19.1

@pimmesz/afterburner@2.19.1

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs commands such as `afterburner run-once`, `afterburner init`, `afterburner statusline install`, `afterburner skill install`, `afterburner auth`, or `afterburner update`.
Impact
Can spend AI quota, modify repo worktrees/branches, update Claude settings/statusline, install an Afterburner skill, store a local OAuth token, and contact notification/update endpoints.
Mechanism
explicit user-command agent config mutation and live agent automation
Rationale
Source inspection confirms real dangerous agent capabilities and explicit AI-agent config mutation, warranting a warning. It does not show unconsented lifecycle mutation, exfiltration, remote payload execution, or stealth behavior required to block as malicious.
Evidence
package.jsondist/cli/index.jsdist/chunk-4TTWKEKW.jsskill/SKILL.md~/.claude/settings.json~/.claude/skills/afterburner/SKILL.md~/.claude/projects~/.codexshell rc files selected by initrepo worktrees under Afterburner temp/worktree dirs
Network endpoints5
api.telegram.orgntfy.shregistry.npmjs.orggithub.com/pimmesz/afterburner.gitafterburner.run

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/chunk-4TTWKEKW.js builds a live Claude invocation with --permission-mode bypassPermissions for configured agent tasks.
  • dist/cli/index.js statusline install writes an Afterburner command into ~/.claude/settings.json after an interactive prompt.
  • dist/cli/index.js skill install copies bundled skill/SKILL.md into ~/.claude/skills/afterburner on explicit command.
  • dist/cli/index.js auth command spawns `claude setup-token` and stores a Claude OAuth token locally for scheduled runs.
  • dist/chunk-4TTWKEKW.js runs repo-configured setup/verify commands via execFile during user-configured automation.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Dangerous operations are exposed through explicit CLI commands or config-gated runs, not install-time execution.
  • Network use is package-aligned: Telegram bot API, ntfy notifications, npm registry update checks, and GitHub/repo operations.
  • Agent prompts treat issue/task text as untrusted data and use env vars instead of interpolating into argv.
  • Claude statusline install backs up existing settings and chains prior statusLine rather than silently overwriting it.
  • No source evidence of credential exfiltration, stealth persistence, destructive payload, or remote code download on import/install.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 445 KB of source, external domains: afterburner.run, api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

8 flagged · loading source
dist/chunk-4TTWKEKW.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pimmesz/afterburner@2.19.2 matchedIdentity = npm:QHBpbW1lc3ovYWZ0ZXJidXJuZXI:2.19.2 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-4TTWKEKW.jsView on unpkg
549// src/core/exec.ts L550: import { execFile } from "child_process"; L551: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/chunk-4TTWKEKW.jsView on unpkg · L549
840return { L841: tool: "powershell-toast", L842: available: true,
High
Shell

Package source references shell execution.

dist/chunk-4TTWKEKW.jsView on unpkg · L840
255// never attached over it (see NtfyNotifier.publish). L256: server: z.url().default("https://ntfy.sh") L257: }).prefault({}), ... L447: function claudeConfigDir() { L448: return process.env.CLAUDE_CONFIG_DIR || join(homedir(), ".claude"); L449: } ... L549: // src/core/exec.ts L550: import { execFile } from "child_process"; L551: import { promisify } from "util"; ... L557: const networkBound = isNetwork ? { timeout: REMOTE_NET_TIMEOUT_MS, killSignal: "SIGKILL" } : {}; L558: const { stdout } = await execFileP("git", args, { L559: cwd,
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-4TTWKEKW.jsView on unpkg · L255
dist/cli/index.jsView file
73L74: // package.json L75: var package_default = { ... L120: type: "git", L121: url: "git+https://github.com/pimmesz/afterburner.git" L122: }, ... L159: // src/cli/ui.ts L160: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L161: var fancy = process.stdout.isTTY === true && !noColor; L162: var fancyErr = process.stderr.isTTY === true && !noColor; L163: var canAnimate = fancyErr && !process.env.CI; L164: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L73
73Trigger-reachable chain: manifest.bin -> dist/cli/index.js L73: L74: // package.json L75: var package_default = { ... L120: type: "git", L121: url: "git+https://github.com/pimmesz/afterburner.git" L122: }, ... L159: // src/cli/ui.ts L160: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L161: var fancy = process.stdout.isTTY === true && !noColor; L162: var fancyErr = process.stderr.isTTY === true && !noColor; L163: var canAnimate = fancyErr && !process.env.CI; L164: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L73
3152if (platform === "win32") { L3153: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3154: } ... L3162: function checkNtfy(config) { L3163: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3164: const server = config.notify.ntfy.server; L3165: if (hasToken && !server.startsWith("https://")) { L3166: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L3152
3011const results = []; L3012: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L3013: if (version.status !== 0) { ... L3017: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L3018: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L3019: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L3011

Findings

3 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/chunk-4TTWKEKW.js
HighChild Processdist/chunk-4TTWKEKW.js
HighShelldist/chunk-4TTWKEKW.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-4TTWKEKW.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings