registry  /  @trustbaseai/claude-collab-plugin  /  0.3.0

@trustbaseai/claude-collab-plugin@0.3.0

Claude Code plugin layer for @trustbaseai/claude-collab (settings.json hooks, doctor, watch, session)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

With `watch --auto-wake`, collab message content reaches a shell-enabled `claude` child-process invocation. Crafted message text can be interpreted by the shell, enabling command execution as the invoking user.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `claude-collab-plugin watch --auto-wake` and a new collab message is received.
Impact
Potential remote command execution as the local user; installed hooks also disclose selected command summaries to the configured collab service.
Mechanism
Network-derived message content passed to `spawnSync` with `shell: true`.
Rationale
The package is not install-time malware, but its opt-in auto-wake flow has a concrete shell-injection/RCE risk from remote message content. Its explicit Claude hook installation and command-summary forwarding add meaningful agent-control and data-disclosure exposure.
Evidence
package.jsonbin/claude-collab-plugin-watch.jsscripts/claude-auto-wake.jsscripts/claude-posttool-hook.jssrc/hooks.jssrc/settings.jsD:/myopenclaw/.tmp/claude-pending-baobei.json~/.claude/settings.json

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `scripts/claude-auto-wake.js` builds a `claude --print` prompt from pending message content.
  • It invokes `spawnSync('claude', args2, { shell: true })` with that untrusted content.
  • `bin/claude-collab-plugin-watch.js` writes `collab-read` message bodies to the pending file, then invokes auto-wake when explicitly enabled.
  • `scripts/claude-posttool-hook.js` forwards notable Bash command summaries to `collab-send`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Importing `src/index.js` only exposes modules; it does not install hooks or start a daemon.
  • Claude settings changes require the explicit `claude-collab-plugin install` command and preserve backups.
  • No static external endpoint is embedded in the active send/read implementation.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 55.0 KB of source

Source & flagged code

5 flagged · loading source
bin/claude-collab-plugin.jsView file
61// Fallback: spawn `collab-doctor --version` (or scan its --json for version). L62: const { spawnSync } = require('child_process'); L63: const r = spawnSync('collab-doctor --json', [], {
High
Child Process

Package source references child process execution.

bin/claude-collab-plugin.jsView on unpkg · L61
66windowsHide: true, L67: shell: true, L68: });
High
Shell

Package source references shell execution.

bin/claude-collab-plugin.jsView on unpkg · L66
15L16: const path = require('path'); L17:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/claude-collab-plugin.jsView on unpkg · L15
src/plugin-doctor.jsView file
81// require() resolution issue (cwd can't see packages installed via L82: // `npm install -g`). On Windows we need `shell: true` so the shell L83: // resolves `collab-doctor` to `collab-doctor.cmd` (PATHEXT).
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/plugin-doctor.jsView on unpkg · L81
bin/claude-collab-plugin-watch.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @trustbaseai/claude-collab-plugin@0.2.0 matchedIdentity = npm:[redacted]:0.2.0 similarity = 0.692 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/claude-collab-plugin-watch.jsView on unpkg

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/claude-collab-plugin-watch.js
HighChild Processbin/claude-collab-plugin.js
HighShellbin/claude-collab-plugin.js
HighRuntime Package Installsrc/plugin-doctor.js
MediumDynamic Requirebin/claude-collab-plugin.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings