registry  /  @pimmesz/afterburner  /  3.0.3

@pimmesz/afterburner@3.0.3

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI commands such as afterburner statusline install, skill install, auth, schedule install, update, run-once, or watch.
Impact
Can run Claude/Codex against configured repos, write scheduler/statusline/skill config, send notifications, and run configured setup/verify commands when the user opts in.
Mechanism
user-invoked AI-agent automation and configuration mutation
Rationale
Source inspection found no npm lifecycle hooks or import-time payload, and the risky primitives are tied to documented, explicit CLI workflows. Because it can modify Claude Code settings/skills and run agent processes, warn for agent capability abuse instead of blocking as malware.
Evidence
package.jsondist/cli/index.jsdist/chunk-AUKKMD5H.jsdist/core/index.jsskill/SKILL.md~/.claude/settings.json~/.claude.json~/.claude/skills/afterburner/SKILL.mdafterburner config fileafterburner data dir oauth-tokennative scheduler artifact paths
Network endpoints5
registry.npmjs.orgntfy.shapi.telegram.orggithub.com/pimmesz/afterburner.gitafterburner.run

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js statusline install explicitly writes Claude Code settings statusLine hook under claudeConfigDir().
  • dist/chunk-AUKKMD5H.js pre-trusts temporary Claude worktrees by editing .claude.json project trust state during live runs.
  • dist/chunk-AUKKMD5H.js launches claude/codex/git/gh and user-configured verify/setup commands as core package functionality.
  • dist/cli/index.js notify setup polls Telegram and stores chatId into the user config on explicit command.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • dist/core/index.js only re-exports core APIs; no import-time network or execution observed.
  • Network use is package-aligned: npm update checks, ntfy/Telegram notifications, GitHub/forge/git operations.
  • Token capture via claude setup-token is explicit afterburner auth and stores locally with mode 0600, not exfiltrated.
  • Scheduler, skill, update, statusline, and notify mutations are exposed as explicit CLI commands, not install-time behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 452 KB of source, external domains: afterburner.run, api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

8 flagged · loading source
dist/cli/index.jsView file
75L76: // package.json L77: var package_default = { ... L123: type: "git", L124: url: "git+https://github.com/pimmesz/afterburner.git" L125: }, ... L162: // src/cli/ui.ts L163: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L164: var fancy = process.stdout.isTTY === true && !noColor; L165: var fancyErr = process.stderr.isTTY === true && !noColor; L166: var canAnimate = fancyErr && !process.env.CI; L167: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L75
75Trigger-reachable chain: manifest.bin -> dist/cli/index.js L75: L76: // package.json L77: var package_default = { ... L123: type: "git", L124: url: "git+https://github.com/pimmesz/afterburner.git" L125: }, ... L162: // src/cli/ui.ts L163: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L164: var fancy = process.stdout.isTTY === true && !noColor; L165: var fancyErr = process.stderr.isTTY === true && !noColor; L166: var canAnimate = fancyErr && !process.env.CI; L167: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L75
matchType = previous_version_dangerous_delta matchedPackage = @pimmesz/afterburner@3.0.1 matchedIdentity = npm:QHBpbW1lc3ovYWZ0ZXJidXJuZXI:3.0.1 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
332// src/cli/commands/auth.ts L333: import { spawn } from "child_process"; L334: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L332
3161if (platform === "win32") { L3162: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3163: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L3161
3161if (platform === "win32") { L3162: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3163: } ... L3171: function checkNtfy(config) { L3172: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3173: const server = config.notify.ntfy.server; L3174: if (hasToken && !server.startsWith("https://")) { L3175: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L3161
3017const results = []; L3018: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L3019: if (version.status !== 0) { ... L3023: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L3024: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L3025: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L3017
75L76: // package.json L77: var package_default = { ... L123: type: "git", L124: url: "git+https://github.com/pimmesz/afterburner.git" L125: }, ... L162: // src/cli/ui.ts L163: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L164: var fancy = process.stdout.isTTY === true && !noColor; L165: var fancyErr = process.stderr.isTTY === true && !noColor; L166: var canAnimate = fancyErr && !process.env.CI; L167: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L75

Findings

3 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings