registry  /  amicus  /  1.7.6

amicus@1.7.6

Multi-model LLM Council + parallel AI window for Claude Code. Run structured council reviews across Gemini, GPT, DeepSeek and more — or fork a conversation to any model and fold the results back.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

Install-time lifecycle code mutates Claude/AI-agent control surfaces by installing skills and registering MCP servers. This happens during npm install, before explicit CLI setup.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install of amicus@1.7.6
Impact
Unconsented agent behavior/tooling changes; future Claude/MCP sessions may follow package-supplied instructions and execute npx amicus@latest mcp.
Mechanism
postinstall writes agent skill files and MCP config entries
Attack narrative
During npm install, postinstall.js installs package-supplied Claude skills and registers amicus/sidecar MCP servers in user-level Claude configs. The registered MCP command is npx -y amicus@latest mcp, so later AI-agent sessions can invoke package-controlled code and follow installed package instructions without the user separately running setup. Although this aligns with the product’s advertised purpose, doing it from a lifecycle hook is an unconsented AI-agent control-surface mutation.
Rationale
Source inspection confirms concrete install-time writes to Claude skills and MCP configuration, which is blockable for upstream firewall policy even without credential exfiltration. The behavior is package-aligned but too invasive for npm lifecycle execution. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.jsskills/sidecar/SKILL.mdskills/second-opinion/SKILL.mdsrc/utils/env-loader.jssrc/utils/model-fetcher.jssrc/mcp-server.jsbin/amicus.js~/.claude/skills/sidecar/SKILL.md~/.claude/skills/second-opinion/SKILL.md~/.claude/skills/second-opinion/COUNCIL-DESIGN.md~/.claude/skills/second-opinion/MODEL-NOTES.md~/.claude.json~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%/Claude/claude_desktop_config.json~/.config/claude/claude_desktop_config.json
Network endpoints6
openrouter.ai/api/v1/modelsgenerativelanguage.googleapis.com/v1beta/modelsapi.openai.com/v1/modelsapi.deepseek.com/modelsapi.anthropic.com/v1/messagesopenrouter.ai/api/v1/key

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.js.
  • scripts/postinstall.js copies bundled skills into ~/.claude/skills/sidecar and ~/.claude/skills/second-opinion during install.
  • scripts/postinstall.js registers MCP servers named amicus and sidecar via claude mcp add-json or direct config writes.
  • scripts/postinstall.js writes ~/.claude.json and Claude Desktop claude_desktop_config.json fallback entries.
  • MCP config uses command npx with args -y amicus@latest mcp, causing future agent tool launches to run package-controlled code.
  • skills/*.md contain operational instructions for Claude/agent behavior, installed automatically at lifecycle time.
Evidence against
  • Package is openly an AI sidecar/MCP CLI, so MCP and skill files are product-aligned.
  • No credential exfiltration or unrelated external C2 endpoint found in inspected source.
  • Credential loading in bin/amicus.js/env-loader.js only populates process.env for provider API use.
  • Most runtime network endpoints are provider/model APIs aligned with the CLI purpose.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 123 file(s), 754 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.deepseek.com, api.openai.com, console.anthropic.com, generativelanguage.googleapis.com, nodejs.org, openrouter.ai, platform.deepseek.com, platform.openai.com, www.w3.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/amicus.jsView file
13try { L14: const { migrateLegacyConfigDir } = require('../src/utils/config'); L15: const _m = migrateLegacyConfigDir();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/amicus.jsView on unpkg · L13
scripts/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: * L6: * 1. Copies SKILL.md to ~/.claude/skills/sidecar/ L7: * 2. Registers MCP server in Claude Code (~/.claude.json) L8: * 3. Registers MCP server in Claude Desktop/Cowork config ... L36: function skillsRoot() { L37: return path.join(os.homedir(), '.claude', 'skills'); L38: } ... L58: L59: if (!existing.mcpServers) { existing.mcpServers = {}; } L60: L61: const prev = existing.mcpServers[name]; L62: const status = !prev ? 'added' : JSON.stringify(prev) !== JSON.stringify(config) ? 'updated' : 'unchanged'; Payload evidence from skills/sidecar/SKILL.md: L11: run_in_background: true. Never run amicus start/resume/continue in the foreground. L12: (2) The fold summary returns on stdout when the user clicks Fold in the GUI or the L13: headless agent finishes. Use TaskOutput to read it when the background task completes. ... L69: **Step 1: Get an OpenRouter API key** L70: - Sign up at https://openrouter.ai L71: - Go to Keys → Create Key ... L78: mkdir -p ~/.local/share/opencode L79: cat > ~/.local/share/opencode/auth.json << 'EOF' L80: { ... L119: L120: Add these to your shell profile (`~/.bashrc`, `~/.zshrc`) for persistence. L121:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L5
src/mcp-server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = amicus@1.7.5 matchedIdentity = npm:YW1pY3Vz:1.7.5 similarity = 0.797 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/mcp-server.jsView on unpkg

Findings

2 Critical1 High5 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
CriticalPrevious Version Dangerous Deltasrc/mcp-server.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/amicus.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings