registry  /  @trustbaseai/claude-collab  /  0.2.0

@trustbaseai/claude-collab@0.2.0

Claude Code adapter for collab-mcp HTTP API (Phase 3: X-API-Key auth)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs a `collab-*` or `claude-collab-config` command, or calls an exported API.
Impact
A user-configured non-local MCP URL receives the configured API key; caller-controlled pending data is written to the configured pending directory.
Mechanism
User-invoked local agent configuration, HTTP collaboration RPC, and pending-file output.
Rationale
No concrete malicious chain or unconsented lifecycle mutation was found. The package nevertheless performs explicit-user-command AI-agent configuration and can route a stored key to a configurable endpoint, so it warrants a warning rather than a clean edge verdict.
Evidence
package.jsonsrc/cli.jssrc/config-store.jssrc/file-hook.jsbin/claude-collab-config.js~/.claude-collab/config.jsonD:/myopenclaw/.tmp/pending-{target}.json
Network endpoints5
127.0.0.1:3010/api/send/api/messages/api/ack/api/pending

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/claude-collab-config.js` explicitly writes local agent configuration.
  • `src/config-store.js` stores `api_key` plaintext in `~/.claude-collab/config.json`.
  • `src/cli.js` sends the configured API key in `X-API-Key` to a configurable MCP host.
  • `src/file-hook.js` writes pending-message JSON into an external OpenClaw-related directory.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • All network calls are activated by exported APIs or user-invoked CLI commands.
  • The default network target is local `127.0.0.1:3010`; no hard-coded external host exists.
  • No child-process, eval, dynamic loading, persistence, deletion, or credential harvesting was found.
  • Config CLI redacts the API key when displaying it.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 19.4 KB of source, external domains: 127.0.0.1

Source & flagged code

4 flagged · loading source
bin/claude-collab-config.jsView file
Published source reference
Medium
Ai Review Evidence

`bin/claude-collab-config.js` explicitly writes local agent configuration.

bin/claude-collab-config.jsView on unpkg
src/config-store.jsView file
Published source reference
Medium
Ai Review Evidence

`src/config-store.js` stores `api_key` plaintext in `~/.claude-collab/config.json`.

src/config-store.jsView on unpkg
src/cli.jsView file
Published source reference
Medium
Ai Review Evidence

`src/cli.js` sends the configured API key in `X-API-Key` to a configurable MCP host.

src/cli.jsView on unpkg
src/file-hook.jsView file
Published source reference
Medium
Ai Review Evidence

`src/file-hook.js` writes pending-message JSON into an external OpenClaw-related directory.

src/file-hook.jsView on unpkg

Findings

6 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencebin/claude-collab-config.js
MediumAi Review Evidencesrc/config-store.js
MediumAi Review Evidencesrc/cli.js
MediumAi Review Evidencesrc/file-hook.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings