AI Security Review
scanned 1d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface was found. The package does provide explicit user-command setup that mutates Claude Code user configuration and installs a package-owned Claude skill, which is agent extension lifecycle risk rather than unconsented hijack.
Decision evidence
public snapshot- dist/cli/index.js exposes explicit `statusline install` that writes a Claude Code statusLine hook into ~/.claude/settings.json.
- dist/cli/index.js exposes explicit `skill install` that copies bundled skill/SKILL.md into ~/.claude/skills/afterburner/SKILL.md.
- dist/chunk-IAWMLWHP.js and dist/cli/index.js spawn `claude`/`codex` and run configured repo setup/verify commands during user-invoked automation.
- dist/cli/index.js has user-invoked update command that can run npm/pnpm global install via shell.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- Agent/control-surface writes are behind explicit CLI commands, not import-time or install-time execution.
- Telegram and ntfy network calls are notification/setup flows using user-provided tokens and configured HTTPS defaults.
- Statusline install backs up existing settings and chains/restores an existing statusLine on uninstall.
- Bundled skill/SKILL.md is a thin wrapper over afterburner CLI and instructs dry-run preview first.
- Runner code sanitizes agent env and treats task/issue text as untrusted data in prompts.
Source & flagged code
8 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli/index.jsView on unpkg · L78A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L78Package source references child process execution.
dist/cli/index.jsView on unpkg · L343A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/index.jsView on unpkg · L3202Package source invokes a package manager install command at runtime.
dist/cli/index.jsView on unpkg · L3049Source writes installer persistence such as shell profile or service configuration.
dist/cli/index.jsView on unpkg · L78This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-IAWMLWHP.jsView on unpkg