registry  /  @pimmesz/afterburner  /  3.0.0

@pimmesz/afterburner@3.0.0

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established. The package is a user-invoked AI automation CLI with scheduler and Claude/Codex integration that can run local agents and mutate user agent configuration when explicitly commanded.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs afterburner commands such as run-once, watch, schedule install, statusline install, skill install, auth, update, or notify setup.
Impact
Can schedule future runs, store a Claude OAuth token locally, install a Claude statusLine hook/skill, run git/gh/claude/codex, and send configured notifications.
Mechanism
explicit-user-command AI agent automation and first-party agent extension setup
Rationale
Static inspection shows high-risk AI automation capabilities, but they are package-purpose, user-invoked, and not triggered by npm installation or import. No credential exfiltration, stealth persistence, remote payload loading, or unconsented foreign AI-agent control-surface mutation was found.
Evidence
package.jsondist/cli/index.jsdist/chunk-G24POICL.jsskill/SKILL.md.env.exampleafterburner.config.example.ts~/.claude/settings.json~/.claude/skills/afterburner/SKILL.md~/Library/LaunchAgents/io.afterburner.run-once.plist~/.config/systemd/user/afterburner.service~/.config/systemd/user/afterburner.timerconfigured repository worktrees
Network endpoints4
registry.npmjs.orgapi.telegram.orgntfy.shgithub.com

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js exposes user commands that install schedulers, statusLine hook, and a Claude skill.
  • dist/chunk-G24POICL.js builds Claude invocations with --permission-mode bypassPermissions for live agent runs.
  • dist/cli/index.js auth command captures `claude setup-token` output and stores an OAuth token locally.
  • dist/cli/index.js update command can execute npm/pnpm update commands via shell when user runs `afterburner update`.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • CLI actions are registered commands; no install-time mutation or import-time agent execution found.
  • Network use is package-aligned: update checks, GitHub/git/gh, ntfy, Telegram notifications, and npm registry.
  • Tokens are read from env or `claude setup-token`; notifications only send to configured HTTPS endpoints.
  • Skill install copies bundled `skill/SKILL.md` into package-owned Claude skill directory by explicit command.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 450 KB of source, external domains: afterburner.run, api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

7 flagged · loading source
dist/cli/index.jsView file
75L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L75
75Trigger-reachable chain: manifest.bin -> dist/cli/index.js L75: L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L75
331// src/cli/commands/auth.ts L332: import { spawn } from "child_process"; L333: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L331
3159if (platform === "win32") { L3160: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3161: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L3159
3159if (platform === "win32") { L3160: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3161: } ... L3169: function checkNtfy(config) { L3170: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3171: const server = config.notify.ntfy.server; L3172: if (hasToken && !server.startsWith("https://")) { L3173: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L3159
3015const results = []; L3016: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L3017: if (version.status !== 0) { ... L3021: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L3022: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L3023: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L3015
75L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L75

Findings

2 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings