registry  /  amicus  /  1.8.1

amicus@1.8.1

Multi-model LLM Council + parallel AI window for Claude Code. Run structured council reviews across Gemini, GPT, DeepSeek and more — or fork a conversation to any model and fold the results back.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Install-time code mutates Claude skill and MCP configuration under the user's home directory. This creates an AI-agent control surface immediately after npm install.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install / postinstall lifecycle
Impact
Claude Code or Claude Desktop may trust package-supplied MCP tools after installation, allowing the package to spawn/continue local AI sessions and write session state.
Mechanism
unconsented Claude skill and MCP registration writes
Attack narrative
On installation, package.json invokes scripts/postinstall.js. The script copies bundled Claude skills into the user's ~/.claude tree, then registers an MCP server named amicus using the Claude CLI or direct JSON edits to Claude Code and Claude Desktop config files. The registered MCP server exposes tools that can start, continue, resume, abort, and read Amicus AI sessions. This is lifecycle-time AI-agent control-surface mutation rather than a user-invoked setup command.
Rationale
Static inspection confirms install-time writes to Claude skills and MCP configuration, which is unconsented AI-agent control-surface mutation suitable for firewall blocking. The package does not show credential exfiltration, but the lifecycle registration behavior itself is the concrete attack surface. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.jssrc/mcp-server.js.claude-plugin/plugin.json~/.claude/skills/sidecar/SKILL.md~/.claude/skills/second-opinion/SKILL.md~/.claude/skills/second-opinion/COUNCIL-DESIGN.md~/.claude/skills/second-opinion/MODEL-NOTES.md~/.claude.json~/Library/Application Support/Claude/claude_desktop_config.json~/.config/claude/claude_desktop_config.json

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js copies package skills into ~/.claude/skills/sidecar and ~/.claude/skills/second-opinion
  • scripts/postinstall.js registers an MCP server via claude mcp add-json or by editing ~/.claude.json
  • scripts/postinstall.js edits Claude Desktop claude_desktop_config.json with npx -y amicus@latest mcp
  • src/mcp-server.js exposes MCP tools that spawn Amicus CLI sessions and write project .claude/amicus session files
Evidence against
  • No obfuscated payloads or encoded strings found in inspected files
  • No credential harvesting or exfiltration found in postinstall path
  • Network endpoints are provider/model API or project metadata URLs aligned with package function
  • Postinstall has AMICUS_SKIP_POSTINSTALL opt-out and uses best-effort error handling
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 130 file(s), 804 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.deepseek.com, api.openai.com, console.anthropic.com, generativelanguage.googleapis.com, nodejs.org, openrouter.ai, platform.deepseek.com, platform.openai.com, www.w3.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/amicus.jsView file
13try { L14: const { migrateLegacyConfigDir } = require('../src/utils/config'); L15: const _m = migrateLegacyConfigDir();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/amicus.jsView on unpkg · L13
scripts/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: * L6: * 1. Copies SKILL.md to ~/.claude/skills/sidecar/ L7: * 2. Registers MCP server in Claude Code (~/.claude.json) L8: * 3. Registers MCP server in Claude Desktop/Cowork config ... L37: function skillsRoot() { L38: return path.join(os.homedir(), '.claude', 'skills'); L39: } ... L70: L71: if (!existing.mcpServers) { existing.mcpServers = {}; } L72: L73: const prev = existing.mcpServers[name]; L74: const nextConfig = (prev && isAmicusMcpConfig(prev)) ? { ...prev, ...config } : config; Payload evidence from skills/sidecar/SKILL.md: L26: 1. **ALWAYS launch amicus CLI commands with the Bash tool's `run_in_background: true`.** Never run `amicus start/resume/continue` in the foreground. L27: 2. **The fold summary returns on stdout** when the user clicks Fold in the GUI or the headless agent finishes. Use TaskOutput to read it when the background task completes. L28: 3. **For long or multi-line briefings, write them to a temp file and pass `--prompt-file <path>`** (mutually exclusive with `--prompt`; avoids shell-quoting hazards and argument-si... ... L67: **Step 1: Get an OpenRouter API key** L68: - Sign up at https://openrouter.ai …
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L5
src/mcp-server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = amicus@1.7.6 matchedIdentity = npm:YW1pY3Vz:1.7.6 similarity = 0.808 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/mcp-server.jsView on unpkg

Findings

2 Critical1 High5 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
CriticalPrevious Version Dangerous Deltasrc/mcp-server.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/amicus.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings