registry  /  @pimmesz/afterburner  /  2.19.2

@pimmesz/afterburner@2.19.2

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI-agent automation CLI with powerful user-invoked features, but inspected source does not show install-time execution, hidden persistence, credential exfiltration, or unconsented foreign agent control-surface mutation.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI commands such as afterburner run-once, schedule install, statusline install, skill install, auth, notify setup, or update.
Impact
Can spawn claude/codex, create review branches, write Afterburner config/cache/scheduler/statusline/skill files, and send configured notifications when the user opts in.
Mechanism
User-configured agent orchestration and optional local integrations
Rationale
Static inspection found high-privilege automation primitives, but they are documented, package-aligned, and activated by explicit CLI/config choices rather than npm lifecycle/import-time behavior. Scanner exfiltration hints map to configured notification/update/setup flows, not covert collection or transmission of command output or secrets.
Evidence
package.jsondist/cli/index.jsdist/chunk-G24POICL.jsskill/SKILL.md.env.exampleafterburner.config.example.tsafterburner.config.mjs.afterburner/backlog.jsonl~/.claude/settings.json~/.claude/skills/afterburner/SKILL.md~/.config/systemd/user/afterburner.service~/.config/systemd/user/afterburner.timer~/Library/LaunchAgents/io.afterburner.run-once.plist
Network endpoints5
registry.npmjs.orgntfy.shapi.telegram.orgafterburner.rungithub.com/pimmesz/afterburner

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle hooks; only bin entrypoints and prepack build script.
    • dist/cli/index.js commands are registered under explicit CLI subcommands; no install-time scheduler/Claude mutation.
    • dist/cli/index.js statusline/skill/schedule installs are user-invoked and print/write expected Afterburner-owned integrations.
    • dist/chunk-G24POICL.js spawns claude/codex for configured automation and passes prompts via stdin/env, with strict MCP/user settings flags for Claude.
    • Network use is package-aligned: npm update check, ntfy/Telegram notifications/setup, GitHub/repo URLs from config.
    • Token handling is local/explicit: claude setup-token is run by afterburner auth and stored locally; notify tokens come from env and are sent only to configured HTTPS endpoints.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 4 file(s), 450 KB of source, external domains: afterburner.run, api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

    Source & flagged code

    8 flagged · loading source
    dist/cli/index.jsView file
    75L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
    Critical
    Command Output Exfiltration

    Source executes local commands and sends command output to an external endpoint.

    dist/cli/index.jsView on unpkg · L75
    75Trigger-reachable chain: manifest.bin -> dist/cli/index.js L75: L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cli/index.jsView on unpkg · L75
    331// src/cli/commands/auth.ts L332: import { spawn } from "child_process"; L333: import { createInterface } from "readline";
    High
    Child Process

    Package source references child process execution.

    dist/cli/index.jsView on unpkg · L331
    3159if (platform === "win32") { L3160: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3161: }
    High
    Shell

    Package source references shell execution.

    dist/cli/index.jsView on unpkg · L3159
    3159if (platform === "win32") { L3160: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3161: } ... L3169: function checkNtfy(config) { L3170: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3171: const server = config.notify.ntfy.server; L3172: if (hasToken && !server.startsWith("https://")) { L3173: return {
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/cli/index.jsView on unpkg · L3159
    3015const results = []; L3016: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L3017: if (version.status !== 0) { ... L3021: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L3022: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L3023: });
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/cli/index.jsView on unpkg · L3015
    75L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/cli/index.jsView on unpkg · L75
    dist/chunk-G24POICL.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @pimmesz/afterburner@2.18.0 matchedIdentity = npm:QHBpbW1lc3ovYWZ0ZXJidXJuZXI:2.18.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/chunk-G24POICL.jsView on unpkg

    Findings

    3 Critical4 High4 Medium4 Low
    CriticalCommand Output Exfiltrationdist/cli/index.js
    CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
    CriticalPrevious Version Dangerous Deltadist/chunk-G24POICL.js
    HighChild Processdist/cli/index.js
    HighShelldist/cli/index.js
    HighSame File Env Network Executiondist/cli/index.js
    HighRuntime Package Installdist/cli/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/cli/index.js
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings