registry  /  amicus  /  2.0.0

amicus@2.0.0

Multi-model LLM Council + parallel AI window for Claude Code. Run structured council reviews across Gemini, GPT, DeepSeek and more — or fork a conversation to any model and fold the results back.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates broad Claude/Cowork AI-agent control surfaces without an explicit user action beyond npm install. It plants skills and registers a standing MCP server that will execute npx -y amicus@latest mcp from Claude clients.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install lifecycle postinstall
Impact
Adds package-supplied agent instructions/tools to user-level Claude and Claude Desktop environments, expanding future AI-agent command surface.
Mechanism
unconsented Claude skill and MCP registration
Policy narrative
On postinstall, the package installs Claude skills into the user's home directory and registers an amicus MCP server in Claude Code and Claude Desktop config. The registered server invokes npx -y amicus@latest mcp, giving Claude clients a persistent package-provided tool surface without a separate opt-in setup step.
Rationale
Source inspection confirms unconsented lifecycle mutation of foreign/broad AI-agent control surfaces, which is blockable under the install-control-surface policy even though the content appears product-aligned. No classic credential theft was found, but the lifecycle delivery mechanism is enough for a malicious firewall verdict.
Evidence
package.jsonscripts/postinstall.jsscripts/setup-hooks.js.claude-plugin/plugin.jsonskills/sidecar/SKILL.mdskills/second-opinion/SKILL.md~/.claude/skills/sidecar/SKILL.md~/.claude/skills/second-opinion/SKILL.md~/.claude/skills/second-opinion/COUNCIL-DESIGN.md~/.claude/skills/second-opinion/MODEL-NOTES.md~/.claude.json~/Library/Application Support/Claude/claude_desktop_config.json~/.config/claude/claude_desktop_config.json.git/config

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js copies package skills into ~/.claude/skills/sidecar and ~/.claude/skills/second-opinion
  • scripts/postinstall.js registers MCP server in Claude Code via claude mcp add-json or writes ~/.claude.json
  • scripts/postinstall.js writes Claude Desktop claude_desktop_config.json with mcpServers.amicus
  • MCP config launches npx -y amicus@latest mcp, creating standing agent tool registration
  • scripts/setup-hooks.js can set git core.hooksPath during postinstall when run inside a git checkout
Evidence against
  • Package is openly an AI sidecar/council tool for Claude and ships matching plugin manifests
  • MCP entries are named amicus and use product-aligned command args
  • No credential exfiltration or destructive payload found in inspected source
  • Electron provisioning is cache-only by default; network prefetch requires AMICUS_PREFETCH_ELECTRON=1
  • Runtime provider API calls are package-aligned model/key validation endpoints
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 140 file(s), 888 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.deepseek.com, api.openai.com, console.anthropic.com, generativelanguage.googleapis.com, nodejs.org, openrouter.ai, platform.deepseek.com, platform.openai.com, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/amicus.jsView file
10// Load API keys from all sources: process.env > amicus .env > auth.json L11: const { loadCredentials } = require('../src/utils/env-loader'); L12: loadCredentials();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/amicus.jsView on unpkg · L10
scripts/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: * L6: * 1. Copies SKILL.md to ~/.claude/skills/sidecar/ L7: * 2. Registers MCP server in Claude Code (~/.claude.json) L8: * 3. Registers MCP server in Claude Desktop/Cowork config ... L37: function skillsRoot() { L38: return path.join(os.homedir(), '.claude', 'skills'); L39: } ... L70: L71: if (!existing.mcpServers) { existing.mcpServers = {}; } L72: L73: const prev = existing.mcpServers[name]; L74: const nextConfig = (prev && isAmicusMcpConfig(prev)) ? { ...prev, ...config } : config; Payload evidence from skills/sidecar/SKILL.md: L41: 1. **ALWAYS launch amicus CLI commands with the Bash tool's `run_in_background: true`.** Never run `amicus start/resume/continue` in the foreground. L42: 2. **The fold summary returns on stdout** when the user clicks Fold in the GUI or the headless agent finishes. Use TaskOutput to read it when the background task completes. L43: 3. **For long or multi-line briefings, write them to a temp file and pass `--prompt-file <path>`** (mutually exclusive with `--prompt`; avoids shell-quoting hazards and argument-si... ... L82: **Step 1: Get an OpenRouter API key** L83: - Sign up at https://openrouter.ai …
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L5
src/sidecar/electron-install.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.1.0 matchedPath = src/sidecar/electron-install.js matchedIdentity = npm:YW1pY3Vz:2.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/electron-install.jsView on unpkg
src/sidecar/interactive.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.1.0 matchedPath = src/sidecar/interactive.js matchedIdentity = npm:YW1pY3Vz:2.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/interactive.jsView on unpkg
src/sidecar/unzip.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.1.0 matchedPath = src/sidecar/unzip.js matchedIdentity = npm:YW1pY3Vz:2.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/unzip.jsView on unpkg
src/headless.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.1.0 matchedPath = src/headless.js matchedIdentity = npm:YW1pY3Vz:2.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/headless.jsView on unpkg
src/sidecar/setup-window.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.1.0 matchedPath = src/sidecar/setup-window.js matchedIdentity = npm:YW1pY3Vz:2.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/setup-window.jsView on unpkg

Findings

1 Critical6 High5 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritysrc/sidecar/electron-install.js
HighKnown Malware Source Similaritysrc/sidecar/interactive.js
HighKnown Malware Source Similaritysrc/sidecar/unzip.js
HighKnown Malware Source Similaritysrc/headless.js
HighKnown Malware Source Similaritysrc/sidecar/setup-window.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/amicus.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings