registry  /  @trustbaseai/claude-collab-plugin  /  0.3.1

@trustbaseai/claude-collab-plugin@0.3.1

Claude Code plugin layer for @trustbaseai/claude-collab (settings.json hooks, doctor, watch, session)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit install command persists package-owned Claude Code hooks. Those hooks forward local tool-activity summaries to the configured collaboration client and inject polled collaboration messages into future Claude context; optional auto-wake launches a headless Claude session.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `claude-collab-plugin install`; watch and auto-wake require separate explicit CLI invocation and flags.
Impact
Tool metadata and selected Bash commands can be sent through `collab-send`; externally supplied collaboration messages can influence Claude sessions.
Mechanism
Persistent AI-agent hooks plus collaboration-message forwarding and context injection.
Rationale
The scanner’s malicious label overstates the evidence: activation is explicit and package-owned, with no npm lifecycle execution. The documented persistent hooks nevertheless create a real collaboration-mediated agent-control surface and automatic tool-summary forwarding, warranting a warning.
Evidence
package.jsonsrc/settings.jssrc/hooks.jsbin/claude-collab-plugin-install.jsbin/claude-collab-plugin-watch.jsscripts/claude-posttool-hook.jsscripts/claude-sessionstart-hook.jsscripts/claude-userpromptsubmit-hook.jsscripts/claude-auto-wake.js~/.claude/settings.json~/.claude/settings.json.bak.<timestamp>~/.claude/projects/<project>/*.jsonl~/.claude-collab/config.jsonD:/myopenclaw/.tmp/claude-pending-baobei.jsonD:/myopenclaw/.tmp/.claude-posttool-hook.last

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/settings.js` writes three persistent Claude hooks to `~/.claude/settings.json` when the user runs install.
  • `scripts/claude-posttool-hook.js` forwards summaries of Edit/Write/NotebookEdit and selected Bash commands via `collab-send baobei`.
  • `bin/claude-collab-plugin-watch.js` polls `collab-read`, writes received content to a pending file, and the hooks inject it as Claude `additionalContext`.
  • `scripts/claude-auto-wake.js` can launch `claude --print` on received messages when explicit `--auto-wake` is used.
  • `scripts/claude-posttool-hook.js` contains a credential-like value in a comment; it is not used as executable configuration.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Hook installation is reached only through documented `claude-collab-plugin install`, not package installation or import.
  • The installer uses package-specific markers, preserves other hooks, writes backups, and provides an uninstall command.
  • No direct HTTP client, remote code download, eval, destructive deletion, or credential-file exfiltration is present in this package.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 55.0 KB of source

Source & flagged code

5 flagged · loading source
bin/claude-collab-plugin.jsView file
61// Fallback: spawn `collab-doctor --version` (or scan its --json for version). L62: const { spawnSync } = require('child_process'); L63: const r = spawnSync('collab-doctor --json', [], {
High
Child Process

Package source references child process execution.

bin/claude-collab-plugin.jsView on unpkg · L61
66windowsHide: true, L67: shell: true, L68: });
High
Shell

Package source references shell execution.

bin/claude-collab-plugin.jsView on unpkg · L66
15L16: const path = require('path'); L17:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/claude-collab-plugin.jsView on unpkg · L15
src/plugin-doctor.jsView file
81// require() resolution issue (cwd can't see packages installed via L82: // `npm install -g`). On Windows we need `shell: true` so the shell L83: // resolves `collab-doctor` to `collab-doctor.cmd` (PATHEXT).
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/plugin-doctor.jsView on unpkg · L81
bin/claude-collab-plugin-watch.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @trustbaseai/claude-collab-plugin@0.3.0 matchedIdentity = npm:[redacted]:0.3.0 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/claude-collab-plugin-watch.jsView on unpkg

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/claude-collab-plugin-watch.js
HighChild Processbin/claude-collab-plugin.js
HighShellbin/claude-collab-plugin.js
HighRuntime Package Installsrc/plugin-doctor.js
MediumDynamic Requirebin/claude-collab-plugin.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings