registry  /  @pimmesz/afterburner  /  3.3.0

@pimmesz/afterburner@3.3.0

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface was found. The package does provide explicit user-command setup that mutates Claude Code user configuration and installs a package-owned Claude skill, which is agent extension lifecycle risk rather than unconsented hijack.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs afterburner statusline install, afterburner skill install, schedule install, update, or live runner commands.
Impact
Can add an Afterburner statusLine hook, install a Claude skill, schedule recurring runs, spawn local AI agents, and send configured notifications; no evidence of covert exfiltration or install-time persistence.
Mechanism
explicit CLI-driven agent configuration and automation setup
Rationale
Static inspection found powerful but package-aligned automation and explicit Claude Code integration setup, with no lifecycle hook, covert credential harvesting, or unconsented broad AI-agent control mutation. Per policy this warrants a warning for agent extension lifecycle risk, not a publish block.
Evidence
package.jsondist/cli/index.jsdist/chunk-IAWMLWHP.jsskill/SKILL.md~/.claude/settings.json~/.claude/skills/afterburner/SKILL.mdafterburner config file selected by usernative scheduler artifacts generated by schedule install
Network endpoints4
api.telegram.orgntfy.shregistry.npmjs.orggithub.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js exposes explicit `statusline install` that writes a Claude Code statusLine hook into ~/.claude/settings.json.
  • dist/cli/index.js exposes explicit `skill install` that copies bundled skill/SKILL.md into ~/.claude/skills/afterburner/SKILL.md.
  • dist/chunk-IAWMLWHP.js and dist/cli/index.js spawn `claude`/`codex` and run configured repo setup/verify commands during user-invoked automation.
  • dist/cli/index.js has user-invoked update command that can run npm/pnpm global install via shell.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Agent/control-surface writes are behind explicit CLI commands, not import-time or install-time execution.
  • Telegram and ntfy network calls are notification/setup flows using user-provided tokens and configured HTTPS defaults.
  • Statusline install backs up existing settings and chains/restores an existing statusLine on uninstall.
  • Bundled skill/SKILL.md is a thin wrapper over afterburner CLI and instructs dry-run preview first.
  • Runner code sanitizes agent env and treats task/issue text as untrusted data in prompts.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 478 KB of source, external domains: afterburner.run, api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

8 flagged · loading source
dist/cli/index.jsView file
78L79: // package.json L80: var package_default = { ... L126: type: "git", L127: url: "git+https://github.com/pimmesz/afterburner.git" L128: }, ... L165: // src/cli/ui.ts L166: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L167: var fancy = process.stdout.isTTY === true && !noColor; L168: var fancyErr = process.stderr.isTTY === true && !noColor; L169: var canAnimate = fancyErr && !process.env.CI; L170: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L78
78Trigger-reachable chain: manifest.bin -> dist/cli/index.js L78: L79: // package.json L80: var package_default = { ... L126: type: "git", L127: url: "git+https://github.com/pimmesz/afterburner.git" L128: }, ... L165: // src/cli/ui.ts L166: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L167: var fancy = process.stdout.isTTY === true && !noColor; L168: var fancyErr = process.stderr.isTTY === true && !noColor; L169: var canAnimate = fancyErr && !process.env.CI; L170: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L78
343// src/cli/commands/auth.ts L344: import { spawn } from "child_process"; L345: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L343
3202if (platform === "win32") { L3203: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3204: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L3202
3202if (platform === "win32") { L3203: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3204: } ... L3212: function checkNtfy(config) { L3213: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3214: const server = config.notify.ntfy.server; L3215: if (hasToken && !server.startsWith("https://")) { L3216: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L3202
3049const results = []; L3050: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L3051: if (version.status !== 0) { ... L3055: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L3056: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L3057: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L3049
78L79: // package.json L80: var package_default = { ... L126: type: "git", L127: url: "git+https://github.com/pimmesz/afterburner.git" L128: }, ... L165: // src/cli/ui.ts L166: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L167: var fancy = process.stdout.isTTY === true && !noColor; L168: var fancyErr = process.stderr.isTTY === true && !noColor; L169: var canAnimate = fancyErr && !process.env.CI; L170: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L78
dist/chunk-IAWMLWHP.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pimmesz/afterburner@3.0.3 matchedIdentity = npm:QHBpbW1lc3ovYWZ0ZXJidXJuZXI:3.0.3 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-IAWMLWHP.jsView on unpkg

Findings

3 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/chunk-IAWMLWHP.js
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings