registry  /  @pimmesz/afterburner  /  3.0.1

@pimmesz/afterburner@3.0.1

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User invokes afterburner CLI commands such as run-once/watch/statusline install/skill install/update/notify setup.
Impact
Can execute local claude/codex sessions and mutate user/project config when configured by the user; no stealth exfiltration or unconsented lifecycle mutation found.
Mechanism
Explicit AI-agent automation and first-party Claude/Codex integration setup
Rationale
The package contains dangerous agent-control capabilities, but they are package-aligned, documented, and user-invoked; scanner claims of command-output exfiltration are explained by local agent execution and opt-in notification flows. Because it mutates AI-agent control surfaces through explicit commands, warn rather than block.
Evidence
package.jsondist/cli/index.jsdist/chunk-AUKKMD5H.jsdist/core/index.jsskill/SKILL.mdREADME.md~/.claude.json~/.claude/settings.json~/.claude/skills/afterburner/SKILL.mdafterburner config fileshell rc file when promptedafterburner data/cache files
Network endpoints3
api.telegram.orgntfy.shregistry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/chunk-AUKKMD5H.js builds and spawns live claude/codex agent commands for configured runs
  • dist/chunk-AUKKMD5H.js defaultPreTrustWorktree writes ~/.claude.json trust state for a worktree before Claude execution
  • dist/cli/index.js statusline install writes ~/.claude/settings.json to add an afterburner command hook
  • dist/cli/index.js skill install copies bundled skill/SKILL.md into ~/.claude/skills/afterburner
  • dist/cli/index.js update can run package-manager install commands when user invokes update
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • Risky operations are CLI subcommands or configured run actions, not install-time execution
  • Telegram and ntfy network calls are notification features using user-provided config/env tokens
  • No source evidence of credential harvesting or sending command output to attacker-controlled endpoints
  • Claude/Codex API keys are stripped from spawned agent environments in runner code
  • README documents live agent behavior, skill install, update, and notification behavior
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 452 KB of source, external domains: afterburner.run, api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

8 flagged · loading source
dist/cli/index.jsView file
75L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L75
75Trigger-reachable chain: manifest.bin -> dist/cli/index.js L75: L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L75
331// src/cli/commands/auth.ts L332: import { spawn } from "child_process"; L333: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L331
3160if (platform === "win32") { L3161: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3162: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L3160
3160if (platform === "win32") { L3161: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3162: } ... L3170: function checkNtfy(config) { L3171: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3172: const server = config.notify.ntfy.server; L3173: if (hasToken && !server.startsWith("https://")) { L3174: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L3160
3016const results = []; L3017: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L3018: if (version.status !== 0) { ... L3022: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L3023: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L3024: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L3016
75L76: // package.json L77: var package_default = { ... L122: type: "git", L123: url: "git+https://github.com/pimmesz/afterburner.git" L124: }, ... L161: // src/cli/ui.ts L162: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L163: var fancy = process.stdout.isTTY === true && !noColor; L164: var fancyErr = process.stderr.isTTY === true && !noColor; L165: var canAnimate = fancyErr && !process.env.CI; L166: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L75
dist/chunk-AUKKMD5H.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pimmesz/afterburner@3.0.0 matchedIdentity = npm:QHBpbW1lc3ovYWZ0ZXJidXJuZXI:3.0.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-AUKKMD5H.jsView on unpkg

Findings

3 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/chunk-AUKKMD5H.js
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings