registry  /  agent-takkub  /  1.0.15

agent-takkub@1.0.15

Desktop cockpit for orchestrating a team of Claude Code agents (Windows + macOS)

AI Security Review

scanned 17h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent cockpit that provisions a Python venv and can later install/configure Claude agent plugins and pane instructions. The risky behavior is package-aligned and mostly explicit-user-command, but install-time global Claude CLI install and PATH mutation create lifecycle risk.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install -g agent-takkub; later user runs takkub provision or spawns panes
Impact
Modifies user developer environment for agent orchestration; no confirmed exfiltration or hijack at install time
Mechanism
first-party agent extension setup and installer PATH/global CLI mutation
Rationale
Source inspection shows real AI-agent extension lifecycle risk, but not the concrete unconsented foreign/broad control-surface mutation, exfiltration, or remote payload execution needed to block. Downgrade to warn rather than malicious.
Evidence
package.jsonnpm/scripts/postinstall.jsnpm/scripts/pathfix.jsnpm/scripts/shortcut.jsdist/agent_takkub-1.0.15-py3-none-any.whlnpm/bin/agent-takkub.jsnpm/bin/takkub.jsagent_takkub/plugin_installer.pyagent_takkub/codex_agents_md.pyagent_takkub/hook_wiring.pyagent_takkub/pane_env.py

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall npm/scripts/postinstall.js
  • postinstall creates ~/.agent-takkub venv and pip-installs bundled wheel
  • postinstall installs @anthropic-ai/claude-code globally if claude CLI is missing
  • npm/scripts/pathfix.js can append npm global bin to HKCU Environment Path or shell rc files
  • wheel ships agent_takkub/_assets/.claude/agents/*.md and explicit plugin installer for Claude plugins
Evidence against
  • postinstall comments and code avoid writing ~/.claude plugins or ~/.takkub config at install time
  • Claude plugin installation is exposed through explicit takkub provision/plugin UI, not npm lifecycle
  • AGENTS.md planting only occurs for spawned panes and refuses user-owned files without its marker
  • pane_env.py uses env allowlists and excludes common secret-bearing vars by default
  • No credential harvesting, destructive file deletion, eval, or remote payload download found in inspected source
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 19.0 KB of source, external domains: www.apple.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node npm/scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node npm/scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
npm/scripts/pathfix.jsView file
11// then broadcasts WM_SETTINGCHANGE so new shells see it. L12: // • darwin/linux — appends a marker-guarded export block to ~/.zshrc (and L13: // ~/.bashrc when present). Idempotent via the marker. ... L16: L17: const { execFileSync, spawnSync } = require('child_process'); L18: const fs = require('fs'); ... L25: // Node ≥18 refuses to spawn .cmd shims without a shell (CVE-2024-27980 L26: // hardening) — route through cmd.exe explicitly on Windows. L27: const r = L28: process.platform === 'win32' L29: ? spawnSync('cmd.exe', ['/d', '/s', '/c', 'npm prefix -g'], { ... L34: : spawnSync('npm', ['prefix', '-g'], { encoding: 'utf8', timeout: 30000 });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

npm/scripts/pathfix.jsView on unpkg · L11
npm/scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L8: // • REUSES an existing cockpit venv (upgrade in place) instead of wiping it. L9: // • Does NOT touch the global claude CLI, ~/.claude plugins, or ~/.takkub L10: // config. Anything shared/missing is left for an explicit, detect-first ... L60: L61: fs.mkdirSync(agentTakkubHome(), { recursive: true }); L62: ... L89: L90: const claudeOk = ensureClaudeCli(env.claudeCli.present); L91: ... L113: } L114: console.log(' Left untouched: ~/.claude plugins, ~/.takkub config (nothing overwritten).'); L115: console.log('\n Next steps:'); Payload evidence from dist/agent_takkub-1.0.15-py3-none-any.whl: L1: PKp2�\�卮TZagent_takkub/__init__.py �1 L2: �0 н��d�� �SR��R�Fl����GD��靳�3�(����b�^ձڍ��S����p��`��(��_�[�3gL�>���PK�%�\��'�KOagent_takkub/__main__.pyK+��U�K,(P��-�/*Q�M�����LS���K�M��W��UP�����+Yq)A...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

npm/scripts/postinstall.jsView on unpkg · L1
dist/agent_takkub-1.0.15-py3-none-any.whlView file
path = dist/agent_takkub-1.0.15-py3-none-any.whl kind = high_entropy_blob sizeBytes = 717133 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/agent_takkub-1.0.15-py3-none-any.whlView on unpkg
path = dist/agent_takkub-1.0.15-py3-none-any.whl kind = compressed_blob sizeBytes = 717133 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/agent_takkub-1.0.15-py3-none-any.whlView on unpkg
path = dist/agent_takkub-1.0.15-py3-none-any.whl kind = nested_archive_needs_inspection sizeBytes = 717133 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/agent_takkub-1.0.15-py3-none-any.whlView on unpkg

Findings

1 Critical2 High5 Medium5 Low
CriticalAi Agent Control Hijacknpm/scripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobdist/agent_takkub-1.0.15-py3-none-any.whl
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumInstall Persistencenpm/scripts/pathfix.js
MediumShips Compressed Blobdist/agent_takkub-1.0.15-py3-none-any.whl
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/agent_takkub-1.0.15-py3-none-any.whl