registry  /  @pimmesz/afterburner  /  3.6.0

@pimmesz/afterburner@3.6.0

Burn the AI-subscription quota you'd lose each week (Claude or Codex) into small, reviewed pull requests: a budget-aware trigger that fires on expiring end-of-week surplus, bounded task selection, PR-only output.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a user-invoked AI automation CLI with explicit commands that can install first-party Claude Code integrations and scheduled jobs. This is a real agent-extension lifecycle risk, but inspection did not find unconsented lifecycle execution, credential exfiltration, or remote payload loading.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs commands such as `afterburner statusline install`, `afterburner skill install`, `afterburner init`, `afterburner schedule install`, or live run/review commands.
Impact
Can modify local Claude settings/skills, shell rc, scheduler artifacts, and run local agent tooling when the user opts into those commands.
Mechanism
explicit CLI-driven AI-agent integration and local automation setup
Rationale
Static inspection supports a warning for explicit first-party agent extension setup and local automation capabilities, not a publish block. No concrete malicious behavior such as install-time execution, credential exfiltration, destructive actions, remote payload execution, or unconsented broad AI-agent hijacking was found.
Evidence
package.jsondist/cli/index.jsdist/core/index.jsdist/chunk-5O7MBC45.jsskill/SKILL.md.env.exampleafterburner.config.example.ts~/.claude/settings.json~/.claude/skills/afterburner/SKILL.md~/.zshrc~/.bashrcnative scheduler artifact paths generated by schedule installafterburner config file
Network endpoints2
api.telegram.orgregistry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js has explicit `statusline install` command that edits Claude Code settings.json to run afterburner as a statusLine hook.
  • dist/cli/index.js has `skill install` command copying bundled skill/SKILL.md into the user's Claude skills directory.
  • dist/cli/index.js can append an afterburner statusline block to shell rc during interactive init when user accepts.
  • dist/cli/index.js spawns local agent/CLI commands such as claude, codex, git/gh and scheduler commands during user-invoked workflows.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • CLI actions are registered as explicit commands; no install-time mutation of Claude/Codex control surfaces was found.
  • Telegram network use is package-aligned notification/setup flow and requires AFTERBURNER_TELEGRAM_TOKEN.
  • `claude setup-token` output is masked on stdout and stored locally via explicit auth setup, not sent to a package-controlled endpoint.
  • dist/core/index.js only re-exports core APIs from the bundled chunk; no import-time execution beyond module initialization was found.
  • Setup install commands are hardened with --ignore-scripts by default unless config opts in.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 482 KB of source, external domains: afterburner.run, api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

7 flagged · loading source
dist/cli/index.jsView file
79L80: // package.json L81: var package_default = { ... L127: type: "git", L128: url: "git+https://github.com/pimmesz/afterburner.git" L129: }, ... L166: // src/cli/ui.ts L167: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L168: var fancy = process.stdout.isTTY === true && !noColor; L169: var fancyErr = process.stderr.isTTY === true && !noColor; L170: var canAnimate = fancyErr && !process.env.CI; L171: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli/index.jsView on unpkg · L79
79Trigger-reachable chain: manifest.bin -> dist/cli/index.js L79: L80: // package.json L81: var package_default = { ... L127: type: "git", L128: url: "git+https://github.com/pimmesz/afterburner.git" L129: }, ... L166: // src/cli/ui.ts L167: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L168: var fancy = process.stdout.isTTY === true && !noColor; L169: var fancyErr = process.stderr.isTTY === true && !noColor; L170: var canAnimate = fancyErr && !process.env.CI; L171: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L79
344// src/cli/commands/auth.ts L345: import { spawn } from "child_process"; L346: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L344
3203if (platform === "win32") { L3204: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3205: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L3203
3203if (platform === "win32") { L3204: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L3205: } ... L3213: function checkNtfy(config) { L3214: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L3215: const server = config.notify.ntfy.server; L3216: if (hasToken && !server.startsWith("https://")) { L3217: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L3203
3050const results = []; L3051: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L3052: if (version.status !== 0) { ... L3056: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L3057: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L3058: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L3050
79L80: // package.json L81: var package_default = { ... L127: type: "git", L128: url: "git+https://github.com/pimmesz/afterburner.git" L129: }, ... L166: // src/cli/ui.ts L167: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L168: var fancy = process.stdout.isTTY === true && !noColor; L169: var fancyErr = process.stderr.isTTY === true && !noColor; L170: var canAnimate = fancyErr && !process.env.CI; L171: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L79

Findings

2 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings