registry  /  @trustbaseai/claude-collab-plugin  /  0.8.1

@trustbaseai/claude-collab-plugin@0.8.1

Claude Code plugin layer for @trustbaseai/claude-collab (settings.json hooks, doctor, watch, session)

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the install command and enables `claude-collab-plugin watch --auto-wake` or saved auto-wake configuration.
Impact
A malicious collaboration message could attempt to steer the unattended Claude subprocess into executing local commands; tool summaries may be forwarded through the collaboration client.
Mechanism
remote-message-to-agent prompt injection with dangerous Bash capability
Rationale
This is not an npm lifecycle attack and its control-surface changes are explicit-user-command setup. However, the opt-in auto-wake path combines remotely sourced content with an unattended agent process whose Bash permissions are deliberately bypassed.
Evidence
src/settings.jssrc/hooks.jsbin/claude-collab-plugin-watch.jsscripts/claude-auto-wake.jsscripts/claude-posttool-hook.jspackage.json~/.claude/settings.jsonD:/myopenclaw/.tmp/claude-pending-baobei.json

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • scripts/claude-auto-wake.js passes remote pending messages to `claude --print` with `--allow-dangerously-skip-permissions` and Bash allowed.
  • bin/claude-collab-plugin-watch.js invokes auto-wake when explicitly enabled, after `collab-read` retrieves messages.
  • src/settings.js installs persistent PostToolUse, SessionStart, and UserPromptSubmit command hooks in `~/.claude/settings.json`.
  • scripts/claude-posttool-hook.js forwards summaries of write operations and non-read Bash commands through `collab-send`.
Evidence against
  • package.json contains no preinstall, install, or postinstall lifecycle hook.
  • Hook/config mutations occur only through the package's explicit install command and are marker-scoped with backups.
  • No source-level HTTP client, credential harvesting, eval/vm use, payload download, or destructive broad file operation was found.
  • Auto-wake is opt-in by CLI flag or saved package configuration rather than enabled at import/install time.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 78.5 KB of source

Source & flagged code

5 flagged · loading source
bin/claude-collab-plugin.jsView file
68} catch (_) { L69: const { spawnSync } = require('child_process'); L70: const r = spawnSync('collab-doctor --json', [], {
High
Child Process

Package source references child process execution.

bin/claude-collab-plugin.jsView on unpkg · L68
73windowsHide: true, L74: shell: true, L75: });
High
Shell

Package source references shell execution.

bin/claude-collab-plugin.jsView on unpkg · L73
19L20: const path = require('path'); L21:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/claude-collab-plugin.jsView on unpkg · L19
src/plugin-doctor.jsView file
81// require() resolution issue (cwd can't see packages installed via L82: // `npm install -g`). On Windows we need `shell: true` so the shell L83: // resolves `collab-doctor` to `collab-doctor.cmd` (PATHEXT).
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/plugin-doctor.jsView on unpkg · L81
bin/claude-collab-plugin-watch.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @trustbaseai/claude-collab-plugin@0.5.1 matchedIdentity = npm:[redacted]:0.5.1 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/claude-collab-plugin-watch.jsView on unpkg

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/claude-collab-plugin-watch.js
HighChild Processbin/claude-collab-plugin.js
HighShellbin/claude-collab-plugin.js
HighRuntime Package Installsrc/plugin-doctor.js
MediumDynamic Requirebin/claude-collab-plugin.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
@trustbaseai/claude-collab-plugin@0.8.1: Suspicious npm security | LPM Firewall