registry  /  @zalom/plastic  /  1.1.3

@zalom/plastic@1.1.3

Intent-driven idea development system for AI coding agents

AI Security Review

scanned 49m ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit installation modifies supported AI-agent configuration surfaces. It installs Plastic-branded skills/agents and, for Claude, hook commands that run Plastic scripts during agent events.

Static reason
No blocking static signals were detected.
Trigger
User runs `plastic install` or an update/reinstall command.
Impact
Persistent agent behavior changes in `~/.agents` and/or `~/.claude`; no unconsented npm install-time mutation was found.
Mechanism
First-party AI-agent extension and hook provisioning.
Rationale
The package is not concretely malicious, but it intentionally persists AI-agent extensions and Claude hooks after an explicit install command. Per policy, this first-party agent-extension setup warrants a warning rather than a block.
Evidence
package.jsonbin/plastic.jsscripts/install.rbscripts/update.rbscripts/lib/installer_core.rbscripts/lib/hook_registry.rbhooks/hooks.jsonhooks/check-updatescripts/lib/feedback_report.rb
Network endpoints1
github.com/zalom/plastic/issues/new

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/lib/installer_core.rb` installs skills and agent prompts into `~/.agents` for Codex after explicit CLI use.
  • The same installer writes Claude hook executables and merges commands into `~/.claude/settings.json`.
  • `hooks/hooks.json` registers lifecycle hooks for prompts and tool use when installed for Claude.
  • `scripts/update.rb` and `hooks/check-update` invoke npm metadata checks for updates.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `bin/plastic.js` only runs after a user invokes the `plastic` binary.
  • No credential harvesting, data exfiltration, remote payload loading, eval, or shell-string execution was confirmed.
  • `scripts/lib/feedback_report.rb` redacts content and only creates a user-submitted GitHub issue URL.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.18 KB of source, external domains: mise.run

Source & flagged code

1 flagged · loading source
scripts/doctor.rbView file
path = scripts/doctor.rb kind = build_helper sizeBytes = 76226 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/doctor.rbView on unpkg

Findings

3 Medium3 Low
MediumEnvironment Vars
MediumShips Build Helperscripts/doctor.rb
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings