registry  /  @pimmesz/afterburner  /  3.5.0

@pimmesz/afterburner@3.5.0

Burn the AI-subscription quota you'd lose each week (Claude or Codex) into small, reviewed pull requests: a budget-aware trigger that fires on expiring end-of-week surplus, bounded task selection, PR-only output.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package is an explicit AI-agent automation CLI with guarded setup commands that can mutate first-party Claude/Afterburner config and run local agent workflows when the user enables them.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes afterburner CLI commands such as init, schedule install, statusline install, skill install, auth, run-once, watch, notify setup, or update.
Impact
Can run local claude/codex/git/gh commands, create worktrees/branches/PRs, install scheduler/config hooks, and send opt-in notifications.
Mechanism
Explicit user-command agent automation and first-party extension/config setup
Rationale
Static inspection confirms the scanner's command/network findings are package-aligned AI automation features activated by explicit CLI commands, with no npm install-time hook or hidden exfiltration path. Because it installs first-party Claude/Afterburner agent surfaces and can run local AI agents, warn rather than block.
Evidence
package.jsondist/cli/index.jsdist/chunk-5O7MBC45.jsdist/core/index.jsskill/SKILL.mdREADME.md.env.exampleafterburner.config.example.ts~/.claude/settings.json~/.claude/skills/afterburner/SKILL.md~/.zshrc~/.bashrcafterburner config pathconfigured repo worktrees.afterburner/backlog.jsonl
Network endpoints4
api.telegram.orgntfy.shregistry.npmjs.orggithub.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js registers user commands that install scheduler artifacts and Claude/Codex integrations.
  • dist/cli/index.js statusline install edits Claude settings and can append a shell rc prompt block after confirmation.
  • dist/cli/index.js skill install copies bundled skill/SKILL.md into ~/.claude/skills/afterburner.
  • dist/chunk-5O7MBC45.js runs claude/codex, git, gh, setup and verify commands on configured repos.
  • dist/cli/index.js can send configured notifications to Telegram and ntfy over HTTPS.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Risky actions are CLI subcommands or live backend behavior, not install-time execution.
  • Tokens are prompted/read from env for auth and notification setup; code masks Claude setup-token output and stores token mode 0600.
  • Ntfy token is only sent to HTTPS servers; Telegram token goes to configured Telegram API base only if HTTPS.
  • Agent prompts explicitly mark task/issue text and verify output as untrusted data.
  • No evidence of hidden payload download, stealth persistence, credential harvesting, or unconsented broad agent control mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 480 KB of source, external domains: afterburner.run, api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

7 flagged · loading source
dist/cli/index.jsView file
79L80: // package.json L81: var package_default = { ... L127: type: "git", L128: url: "git+https://github.com/pimmesz/afterburner.git" L129: }, ... L166: // src/cli/ui.ts L167: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L168: var fancy = process.stdout.isTTY === true && !noColor; L169: var fancyErr = process.stderr.isTTY === true && !noColor; L170: var canAnimate = fancyErr && !process.env.CI; L171: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L79
79Trigger-reachable chain: manifest.bin -> dist/cli/index.js L79: L80: // package.json L81: var package_default = { ... L127: type: "git", L128: url: "git+https://github.com/pimmesz/afterburner.git" L129: }, ... L166: // src/cli/ui.ts L167: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L168: var fancy = process.stdout.isTTY === true && !noColor; L169: var fancyErr = process.stderr.isTTY === true && !noColor; L170: var canAnimate = fancyErr && !process.env.CI; L171: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L79
344// src/cli/commands/auth.ts L345: import { spawn } from "child_process"; L346: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L344
3203if (platform === "win32") { L3204: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3205: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L3203
3203if (platform === "win32") { L3204: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3205: } ... L3213: function checkNtfy(config) { L3214: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3215: const server = config.notify.ntfy.server; L3216: if (hasToken && !server.startsWith("https://")) { L3217: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L3203
3050const results = []; L3051: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L3052: if (version.status !== 0) { ... L3056: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L3057: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L3058: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L3050
79L80: // package.json L81: var package_default = { ... L127: type: "git", L128: url: "git+https://github.com/pimmesz/afterburner.git" L129: }, ... L166: // src/cli/ui.ts L167: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L168: var fancy = process.stdout.isTTY === true && !noColor; L169: var fancyErr = process.stderr.isTTY === true && !noColor; L170: var canAnimate = fancyErr && !process.env.CI; L171: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L79

Findings

2 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings