registry  /  @trustbaseai/claude-collab-plugin  /  0.5.1

@trustbaseai/claude-collab-plugin@0.5.1

Claude Code plugin layer for @trustbaseai/claude-collab (settings.json hooks, doctor, watch, session)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run `claude-collab-plugin install`; additionally run `claude-collab-plugin watch --auto-wake` for the sub-session path.
Impact
Tool activity metadata can be forwarded to the configured collab service; a malicious inbound message may influence a Bash-enabled sub-session that bypasses approvals.
Mechanism
Claude hook persistence, collab message forwarding, and prompt-injected auto-wake with skipped approvals.
Rationale
This is not an install-time malware chain: no npm lifecycle script runs and configuration changes require explicit commands. However, the optional auto-wake path combines externally sourced prompt content with `--allow-dangerously-skip-permissions`, creating a concrete dangerous AI-agent capability.
Evidence
package.jsonsrc/settings.jssrc/hooks.jsscripts/claude-posttool-hook.jsscripts/claude-auto-wake.jsbin/claude-collab-plugin-watch.js~/.claude/settings.jsonscripts/claude-sessionstart-hook.jsscripts/claude-userpromptsubmit-hook.js

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/hooks.js` explicitly installs three Claude hooks into `~/.claude/settings.json`.
  • `scripts/claude-posttool-hook.js` forwards edited-file/Bash summaries through `collab-send`.
  • `bin/claude-collab-plugin-watch.js` reads mailbox content and writes it for hook injection.
  • `scripts/claude-auto-wake.js` injects inbound messages into `claude --print` with `--allow-dangerously-skip-permissions` and Bash allowed.
  • Auto-wake sends model output using `collab-send` and acknowledges mailbox messages.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Hook mutation occurs only after the explicit `claude-collab-plugin install` command.
  • Auto-wake is off unless the user explicitly supplies `watch --auto-wake`.
  • Source contains no direct HTTP client, credential harvesting, binary loading, or remote code download.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 62.0 KB of source

Source & flagged code

5 flagged · loading source
bin/claude-collab-plugin.jsView file
61// Fallback: spawn `collab-doctor --version` (or scan its --json for version). L62: const { spawnSync } = require('child_process'); L63: const r = spawnSync('collab-doctor --json', [], {
High
Child Process

Package source references child process execution.

bin/claude-collab-plugin.jsView on unpkg · L61
66windowsHide: true, L67: shell: true, L68: });
High
Shell

Package source references shell execution.

bin/claude-collab-plugin.jsView on unpkg · L66
15L16: const path = require('path'); L17:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/claude-collab-plugin.jsView on unpkg · L15
src/plugin-doctor.jsView file
81// require() resolution issue (cwd can't see packages installed via L82: // `npm install -g`). On Windows we need `shell: true` so the shell L83: // resolves `collab-doctor` to `collab-doctor.cmd` (PATHEXT).
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/plugin-doctor.jsView on unpkg · L81
bin/claude-collab-plugin-watch.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @trustbaseai/claude-collab-plugin@0.3.7 matchedIdentity = npm:[redacted]:0.3.7 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/claude-collab-plugin-watch.jsView on unpkg

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/claude-collab-plugin-watch.js
HighChild Processbin/claude-collab-plugin.js
HighShellbin/claude-collab-plugin.js
HighRuntime Package Installsrc/plugin-doctor.js
MediumDynamic Requirebin/claude-collab-plugin.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings