registry  /  amicus  /  2.2.0

amicus@2.2.0

Multi-model LLM Council + parallel AI window for Claude Code. Run structured council reviews across Gemini, GPT, DeepSeek and more — or fork a conversation to any model and fold the results back.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. npm postinstall mutates Claude Code and Claude Desktop/Cowork control surfaces. It installs auto-triggered skills and registers a user-scope MCP server that later executes `amicus@latest`.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install executes the postinstall lifecycle hook unless `AMICUS_SKIP_POSTINSTALL=1` is preset.
Impact
Future Claude sessions can load package-supplied instructions and invoke a mutable remote MCP payload.
Mechanism
unconsented AI-agent skill deployment and MCP configuration injection
Policy narrative
On installation, the package's postinstall runs automatically, copies its skill instructions into the user's Claude skill directory, and registers an MCP server in Claude Code and Claude Desktop/Cowork configuration. The registration invokes `npx -y amicus@latest mcp`, so later agent use resolves and executes the moving latest package rather than the reviewed installed version. This is an unconsented install-time mutation of broad external AI-agent control surfaces.
Rationale
Direct source inspection confirms an automatic postinstall writes foreign Claude configuration and instruction files, then injects a mutable `@latest` MCP launcher. This meets the firewall block boundary for unconsented postinstall AI-agent control-surface mutation.
Evidence
package.jsonscripts/postinstall.jsskills/sidecar/SKILL.mdskills/second-opinion/SKILL.mdsrc/utils/mcp-self-identity.js~/.claude/skills/sidecar/SKILL.md~/.claude/skills/second-opinion/SKILL.md~/.claude.json~/Library/Application Support/Claude/claude_desktop_config.json

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/postinstall.js` automatically.
  • `scripts/postinstall.js` copies package skills into `~/.claude/skills/` without user action.
  • Postinstall registers an `amicus` MCP server in `~/.claude.json` and Claude Desktop config.
  • The injected MCP command is `npx -y amicus@latest mcp`, a mutable latest-version launcher.
  • Postinstall overwrites any non-Amicus MCP entry named `amicus`.
Evidence against
  • No default postinstall network request is confirmed; Electron network prewarm requires `AMICUS_PREFETCH_ELECTRON=1`.
  • Observed API-key handling supports the package's stated multi-model runtime, not install-time exfiltration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 146 file(s), 908 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.deepseek.com, api.openai.com, console.anthropic.com, generativelanguage.googleapis.com, nodejs.org, openrouter.ai, platform.deepseek.com, platform.openai.com, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/amicus.jsView file
10// Load API keys from all sources: process.env > amicus .env > auth.json L11: const { loadCredentials } = require('../src/utils/env-loader'); L12: loadCredentials();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/amicus.jsView on unpkg · L10
scripts/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: * L6: * 1. Copies SKILL.md to ~/.claude/skills/sidecar/ L7: * 2. Registers MCP server in Claude Code (~/.claude.json) L8: * 3. Registers MCP server in Claude Desktop/Cowork config ... L37: function skillsRoot() { L38: return path.join(os.homedir(), '.claude', 'skills'); L39: } ... L70: L71: if (!existing.mcpServers) { existing.mcpServers = {}; } L72: L73: const prev = existing.mcpServers[name]; L74: const nextConfig = (prev && isAmicusMcpConfig(prev)) ? { ...prev, ...config } : config; Payload evidence from skills/sidecar/SKILL.md: L41: 1. **ALWAYS launch amicus CLI commands with the Bash tool's `run_in_background: true`.** Never run `amicus start/resume/continue` in the foreground. L42: 2. **The fold summary returns on stdout** when the user clicks Fold in the GUI or the headless agent finishes. Use TaskOutput to read it when the background task completes. L43: 3. **For long or multi-line briefings, write them to a temp file and pass `--prompt-file <path>`** (mutually exclusive with `--prompt`; avoids shell-quoting hazards and argument-si... ... L82: **Step 1: Get an OpenRouter API key** L83: - Sign up at https://openrouter.ai …
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L5
src/sidecar/electron-install.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.0.0 matchedPath = src/sidecar/electron-install.js matchedIdentity = npm:YW1pY3Vz:2.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/electron-install.jsView on unpkg
src/mcp-server.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.1.0 matchedPath = src/mcp-server.js matchedIdentity = npm:YW1pY3Vz:2.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/mcp-server.jsView on unpkg
src/sidecar/interactive.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.0.0 matchedPath = src/sidecar/interactive.js matchedIdentity = npm:YW1pY3Vz:2.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/interactive.jsView on unpkg
src/sidecar/unzip.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.0.0 matchedPath = src/sidecar/unzip.js matchedIdentity = npm:YW1pY3Vz:2.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/unzip.jsView on unpkg
src/headless.jsView file
matchType = normalized_sha256 matchedPackage = amicus@2.0.0 matchedPath = src/headless.js matchedIdentity = npm:YW1pY3Vz:2.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/headless.jsView on unpkg

Findings

1 Critical6 High5 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritysrc/sidecar/electron-install.js
HighKnown Malware Source Similaritysrc/mcp-server.js
HighKnown Malware Source Similaritysrc/sidecar/interactive.js
HighKnown Malware Source Similaritysrc/sidecar/unzip.js
HighKnown Malware Source Similaritysrc/headless.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/amicus.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings