registry  /  agent-takkub  /  1.0.13

agent-takkub@1.0.13

Desktop cockpit for orchestrating a team of Claude Code agents (Windows + macOS)

AI Security Review

scanned 22h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was established. The package has high-risk installer behavior for a desktop AI-agent cockpit: it provisions a Python venv, may install Claude Code globally, updates PATH persistence, and later can configure package-owned hooks/MCPs for spawned panes.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm global install postinstall; later explicit takkub/agent-takkub commands
Impact
User environment is modified for the tool, but inspected source does not show unconsented foreign AI control-surface hijack, exfiltration, or destructive behavior.
Mechanism
installer provisioning plus first-party agent orchestration setup
Rationale
The scanner’s control-hijack label is too strong for the inspected source: install-time mutation is limited to product provisioning, PATH, shortcut creation, and optional Claude CLI install, while AI-agent plugin/MCP setup is explicit/user-invoked or package-owned runtime config. This is still risky enough to warn because a lifecycle hook persistently modifies the user environment and bootstraps an agent orchestration tool.
Evidence
package.jsonnpm/scripts/postinstall.jsnpm/scripts/pathfix.jsnpm/scripts/shortcut.jsnpm/bin/agent-takkub.jsnpm/bin/takkub.jsdist/agent_takkub-1.0.13-py3-none-any.whl~/.agent-takkub~/.zshrc~/.bashrcHKCU\Environment\Path~/Desktop/Takkub Cockpit.app~/Desktop/Takkub Cockpit.lnkruntime/hook-settings.jsonruntime/shared-mcp.json
Network endpoints1
github.com/takkub/agent-takkub.git

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node npm/scripts/postinstall.js
  • postinstall creates/upgrades ~/.agent-takkub venv and pip-installs bundled dist/*.whl
  • postinstall may run npm install -g @anthropic-ai/claude-code when claude is missing
  • npm/scripts/pathfix.js can append npm global bin to ~/.zshrc/.bashrc or HKCU Environment Path
  • wheel contains agent/hook/MCP setup code, but invoked by cockpit/provision flows
Evidence against
  • postinstall comments and code avoid ~/.claude plugins and ~/.takkub config mutation
  • takkub provision explicitly performs plugin/MCP setup after user command, not during npm install
  • No credential harvesting or exfiltration endpoint found in inspected JS installer/bin files
  • bin wrappers only spawn venv Python modules with user CLI args
  • hook settings are written under package runtime dir for cockpit-spawned panes
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 19.0 KB of source, external domains: www.apple.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node npm/scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node npm/scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
npm/scripts/pathfix.jsView file
11// then broadcasts WM_SETTINGCHANGE so new shells see it. L12: // • darwin/linux — appends a marker-guarded export block to ~/.zshrc (and L13: // ~/.bashrc when present). Idempotent via the marker. ... L16: L17: const { execFileSync, spawnSync } = require('child_process'); L18: const fs = require('fs'); ... L25: // Node ≥18 refuses to spawn .cmd shims without a shell (CVE-2024-27980 L26: // hardening) — route through cmd.exe explicitly on Windows. L27: const r = L28: process.platform === 'win32' L29: ? spawnSync('cmd.exe', ['/d', '/s', '/c', 'npm prefix -g'], { ... L34: : spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', timeout: 30000 });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

npm/scripts/pathfix.jsView on unpkg · L11
npm/scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L8: // • REUSES an existing cockpit venv (upgrade in place) instead of wiping it. L9: // • Does NOT touch the global claude CLI, ~/.claude plugins, or ~/.takkub L10: // config. Anything shared/missing is left for an explicit, detect-first ... L60: L61: fs.mkdirSync(agentTakkubHome(), { recursive: true }); L62: ... L89: L90: const claudeOk = ensureClaudeCli(env.claudeCli.present); L91: ... L113: } L114: console.log(' Left untouched: ~/.claude plugins, ~/.takkub config (nothing overwritten).'); L115: console.log('\n Next steps:'); Payload evidence from dist/agent_takkub-1.0.13-py3-none-any.whl: L1: PKp2�\�卮TZagent_takkub/__init__.py �1 L2: �0 н��d�� �SR��R�Fl����GD��靳�3�(����b�^ձڍ��S����p��`��(��_�[�3gL�>���PK�%�\��'�KOagent_takkub/__main__.pyK+��U�K,(P��-�/*Q�M�����LS���K�M��W��UP�����+Yq)A...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

npm/scripts/postinstall.jsView on unpkg · L1
dist/agent_takkub-1.0.13-py3-none-any.whlView file
path = dist/agent_takkub-1.0.13-py3-none-any.whl kind = high_entropy_blob sizeBytes = 715393 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/agent_takkub-1.0.13-py3-none-any.whlView on unpkg
path = dist/agent_takkub-1.0.13-py3-none-any.whl kind = compressed_blob sizeBytes = 715393 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/agent_takkub-1.0.13-py3-none-any.whlView on unpkg
path = dist/agent_takkub-1.0.13-py3-none-any.whl kind = nested_archive_needs_inspection sizeBytes = 715393 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/agent_takkub-1.0.13-py3-none-any.whlView on unpkg

Findings

1 Critical2 High5 Medium5 Low
CriticalAi Agent Control Hijacknpm/scripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobdist/agent_takkub-1.0.13-py3-none-any.whl
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumInstall Persistencenpm/scripts/pathfix.js
MediumShips Compressed Blobdist/agent_takkub-1.0.13-py3-none-any.whl
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/agent_takkub-1.0.13-py3-none-any.whl