registry  /  agent-takkub  /  1.0.17

agent-takkub@1.0.17

Desktop cockpit for orchestrating a team of Claude Code agents (Windows + macOS)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package has a broad install-time setup surface but no confirmed malicious chain. npm postinstall provisions a first-party cockpit venv, may install Claude Code globally, adjusts PATH persistence, and creates a launcher.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install -g agent-takkub
Impact
User environment is modified at install time; no source-confirmed exfiltration, destructive action, or foreign AI-agent control hijack was found.
Mechanism
first-party agent cockpit provisioning with install-time PATH/launcher mutation
Rationale
Source inspection does not support a malicious verdict, but the install-time environment mutation and first-party agent setup are risky enough to warn. The scanner's AI-agent hijack label is noisy because npm postinstall explicitly avoids ~/.claude plugins/config and defers plugin setup to user-invoked flows.
Evidence
package.jsonnpm/scripts/postinstall.jsnpm/scripts/pathfix.jsnpm/scripts/shortcut.jsnpm/scripts/preflight.jsnpm/scripts/lib.jsnpm/bin/agent-takkub.jsnpm/bin/takkub.jsdist/agent_takkub-1.0.17-py3-none-any.whl~/.agent-takkub~/.zshrc~/.bashrcHKCU\Environment\Path~/Desktop/Takkub Cockpit.app~/Desktop/Takkub Cockpit.lnk
Network endpoints4
github.com/takkub/agent-takkubgithub.com/takkub/agent-takkub#readmegithub.com/takkub/agent-takkub/issues127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node npm/scripts/postinstall.js
  • postinstall creates/updates an isolated Python venv under AGENT_TAKKUB_HOME/default ~/.agent-takkub and pip-installs bundled dist wheel
  • postinstall installs @anthropic-ai/claude-code globally if claude CLI is missing
  • npm/scripts/pathfix.js can append npm global bin to ~/.zshrc/.bashrc or HKCU Environment Path
  • npm/scripts/shortcut.js creates a Desktop launcher on install
  • wheel ships Claude agent assets and hook/settings code, but not activated by npm postinstall
Evidence against
  • postinstall comments and code avoid touching ~/.claude plugins or ~/.takkub config
  • No credential harvesting or exfiltration found in inspected npm wrapper files
  • Runtime CLI connects only to 127.0.0.1 cockpit port for orchestration
  • Claude plugin installation appears in user-invoked plugin/provision flows, not npm postinstall
  • Bundled wheel metadata matches a GUI/CLI cockpit package with declared PyQt dependencies
  • No remote payload download or eval/Function/native binary loader found in npm entrypoints
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 19.0 KB of source, external domains: www.apple.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node npm/scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node npm/scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
npm/scripts/pathfix.jsView file
11// then broadcasts WM_SETTINGCHANGE so new shells see it. L12: // • darwin/linux — appends a marker-guarded export block to ~/.zshrc (and L13: // ~/.bashrc when present). Idempotent via the marker. ... L16: L17: const { execFileSync, spawnSync } = require('child_process'); L18: const fs = require('fs'); ... L25: // Node ≥18 refuses to spawn .cmd shims without a shell (CVE-2024-27980 L26: // hardening) — route through cmd.exe explicitly on Windows. L27: const r = L28: process.platform === 'win32' L29: ? spawnSync('cmd.exe', ['/d', '/s', '/c', 'npm prefix -g'], { ... L34: : spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', timeout: 30000 });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

npm/scripts/pathfix.jsView on unpkg · L11
npm/scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L8: // • REUSES an existing cockpit venv (upgrade in place) instead of wiping it. L9: // • Does NOT touch the global claude CLI, ~/.claude plugins, or ~/.takkub L10: // config. Anything shared/missing is left for an explicit, detect-first ... L60: L61: fs.mkdirSync(agentTakkubHome(), { recursive: true }); L62: ... L89: L90: const claudeOk = ensureClaudeCli(env.claudeCli.present); L91: ... L113: } L114: console.log(' Left untouched: ~/.claude plugins, ~/.takkub config (nothing overwritten).'); L115: console.log('\n Next steps:'); Payload evidence from dist/agent_takkub-1.0.17-py3-none-any.whl: L1: PK��\2�NU[agent_takkub/__init__.py �1� ��W4�%:��8�R��P"��� ��ts�I)�~l�%� L2: ���F�K^p����/�eʙ��EDc���(�{�;�eE�PK�%�\��'�KOagent_takkub/__main__.pyK+��U�K,(P��-�/*Q�M�����LS���K�M��W��UP�����+Yq)AQbfq�BpeqIj�kEf�HVCS� PKRj...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

npm/scripts/postinstall.jsView on unpkg · L1
dist/agent_takkub-1.0.17-py3-none-any.whlView file
path = dist/agent_takkub-1.0.17-py3-none-any.whl kind = high_entropy_blob sizeBytes = 725351 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/agent_takkub-1.0.17-py3-none-any.whlView on unpkg
path = dist/agent_takkub-1.0.17-py3-none-any.whl kind = compressed_blob sizeBytes = 725351 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/agent_takkub-1.0.17-py3-none-any.whlView on unpkg
path = dist/agent_takkub-1.0.17-py3-none-any.whl kind = nested_archive_needs_inspection sizeBytes = 725351 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/agent_takkub-1.0.17-py3-none-any.whlView on unpkg

Findings

1 Critical2 High5 Medium5 Low
CriticalAi Agent Control Hijacknpm/scripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobdist/agent_takkub-1.0.17-py3-none-any.whl
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumInstall Persistencenpm/scripts/pathfix.js
MediumShips Compressed Blobdist/agent_takkub-1.0.17-py3-none-any.whl
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/agent_takkub-1.0.17-py3-none-any.whl