registry  /  agent-takkub  /  1.0.14

agent-takkub@1.0.14

Desktop cockpit for orchestrating a team of Claude Code agents (Windows + macOS)

AI Security Review

scanned 22h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package has broad install-time setup for a local AI-agent cockpit, including a Python venv, global Claude CLI install if absent, PATH persistence, and Desktop launcher creation. Runtime/provision paths can plant package-owned agent instructions and Claude hook settings, but inspection did not confirm exfiltration or unconsented install-time mutation of foreign Claude config.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install -g agent-takkub; later user-run agent-takkub/takkub provision
Impact
Warn-level lifecycle risk: modifies user environment and can configure agent panes, but behavior is aligned with documented cockpit functionality and lacks a concrete malicious chain.
Mechanism
install-time bootstrap plus explicit runtime AI-agent orchestration setup
Rationale
Static source inspection supports a warning for broad agent lifecycle and environment mutation, not a publish block. The risky primitives are visible, documented, mostly isolated/package-owned, and no concrete malicious chain was found.
Evidence
package.jsonnpm/scripts/postinstall.jsnpm/scripts/pathfix.jsnpm/scripts/shortcut.jsnpm/bin/agent-takkub.jsnpm/bin/takkub.jsdist/agent_takkub-1.0.14-py3-none-any.whl~/.agent-takkub~/.agent-takkub/venv~/.zshrc~/.bashrcHKCU\Environment PathDesktop/Takkub Cockpit.lnkDesktop/Takkub Cockpit.appAGENTS.mdruntime/hook-settings.json~/.claude/plugins/cache
Network endpoints4
git+https://github.com/takkub/agent-takkub.gitgithub.com/takkub/agent-takkub#readmegithub.com/takkub/agent-takkub/issuesraw.githubusercontent.com/takkub/agent-takkub/v1.0.5/assets/cockpit-main.png

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node npm/scripts/postinstall.js
  • postinstall creates/upgrades ~/.agent-takkub venv and pip-installs bundled wheel
  • postinstall installs global @anthropic-ai/claude-code when claude is missing
  • npm/scripts/pathfix.js appends npm global bin to ~/.zshrc/~/.bashrc or HKCU Environment Path
  • npm/scripts/shortcut.js writes Desktop launcher files
  • wheel contains explicit runtime agent setup: AGENTS.md planting, Claude hook settings, plugin installer
Evidence against
  • No credential/env harvesting or exfiltration found in inspected npm scripts
  • No direct ~/.claude mutation during npm postinstall; comments and code leave plugin/config setup to explicit runtime/provision flows
  • CLI network is local 127.0.0.1 orchestration with capability tokens
  • AGENTS.md planting checks marker and refuses to overwrite user-owned AGENTS.md
  • Bundled wheel source is package-aligned desktop cockpit/orchestration code, not an inert hidden payload
  • No obfuscated eval/vm/native binary loader found in inspected entrypoints
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 19.0 KB of source, external domains: www.apple.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node npm/scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node npm/scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
npm/scripts/pathfix.jsView file
11// then broadcasts WM_SETTINGCHANGE so new shells see it. L12: // • darwin/linux — appends a marker-guarded export block to ~/.zshrc (and L13: // ~/.bashrc when present). Idempotent via the marker. ... L16: L17: const { execFileSync, spawnSync } = require('child_process'); L18: const fs = require('fs'); ... L25: // Node ≥18 refuses to spawn .cmd shims without a shell (CVE-2024-27980 L26: // hardening) — route through cmd.exe explicitly on Windows. L27: const r = L28: process.platform === 'win32' L29: ? spawnSync('cmd.exe', ['/d', '/s', '/c', 'npm prefix -g'], { ... L34: : spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', timeout: 30000 });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

npm/scripts/pathfix.jsView on unpkg · L11
npm/scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L8: // • REUSES an existing cockpit venv (upgrade in place) instead of wiping it. L9: // • Does NOT touch the global claude CLI, ~/.claude plugins, or ~/.takkub L10: // config. Anything shared/missing is left for an explicit, detect-first ... L60: L61: fs.mkdirSync(agentTakkubHome(), { recursive: true }); L62: ... L89: L90: const claudeOk = ensureClaudeCli(env.claudeCli.present); L91: ... L113: } L114: console.log(' Left untouched: ~/.claude plugins, ~/.takkub config (nothing overwritten).'); L115: console.log('\n Next steps:'); Payload evidence from dist/agent_takkub-1.0.14-py3-none-any.whl: L1: PKp2�\�卮TZagent_takkub/__init__.py �1 L2: �0 н��d�� �SR��R�Fl����GD��靳�3�(����b�^ձڍ��S����p��`��(��_�[�3gL�>���PK�%�\��'�KOagent_takkub/__main__.pyK+��U�K,(P��-�/*Q�M�����LS���K�M��W��UP�����+Yq)A...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

npm/scripts/postinstall.jsView on unpkg · L1
dist/agent_takkub-1.0.14-py3-none-any.whlView file
path = dist/agent_takkub-1.0.14-py3-none-any.whl kind = high_entropy_blob sizeBytes = 717259 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/agent_takkub-1.0.14-py3-none-any.whlView on unpkg
path = dist/agent_takkub-1.0.14-py3-none-any.whl kind = compressed_blob sizeBytes = 717259 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/agent_takkub-1.0.14-py3-none-any.whlView on unpkg
path = dist/agent_takkub-1.0.14-py3-none-any.whl kind = nested_archive_needs_inspection sizeBytes = 717259 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/agent_takkub-1.0.14-py3-none-any.whlView on unpkg

Findings

1 Critical2 High5 Medium5 Low
CriticalAi Agent Control Hijacknpm/scripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobdist/agent_takkub-1.0.14-py3-none-any.whl
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumInstall Persistencenpm/scripts/pathfix.js
MediumShips Compressed Blobdist/agent_takkub-1.0.14-py3-none-any.whl
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/agent_takkub-1.0.14-py3-none-any.whl