AI Security Review
scanned 3h ago · by lpm-firewall-aiWith `watch --auto-wake`, collab message content reaches a shell-enabled `claude` child-process invocation. Crafted message text can be interpreted by the shell, enabling command execution as the invoking user.
Decision evidence
public snapshot- `scripts/claude-auto-wake.js` builds a `claude --print` prompt from pending message content.
- It invokes `spawnSync('claude', args2, { shell: true })` with that untrusted content.
- `bin/claude-collab-plugin-watch.js` writes `collab-read` message bodies to the pending file, then invokes auto-wake when explicitly enabled.
- `scripts/claude-posttool-hook.js` forwards notable Bash command summaries to `collab-send`.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- Importing `src/index.js` only exposes modules; it does not install hooks or start a daemon.
- Claude settings changes require the explicit `claude-collab-plugin install` command and preserve backups.
- No static external endpoint is embedded in the active send/read implementation.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
bin/claude-collab-plugin.jsView on unpkg · L61Package source references dynamic require/import behavior.
bin/claude-collab-plugin.jsView on unpkg · L15Package source invokes a package manager install command at runtime.
src/plugin-doctor.jsView on unpkg · L81This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/claude-collab-plugin-watch.jsView on unpkg