registry  /  anumati  /  0.2.0

anumati@0.2.0

PreToolUse hook for Claude Code — config-driven allow rules that reduce permission prompts and suggest new rules from real usage

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package is a Claude Code permission-hook CLI that explicitly configures its own hook and local logs when invoked by the user.

Static reason
No blocking static signals were detected.
Trigger
User runs `anumati init`, `anumati add`, `anumati apply`, or the configured Claude Code hook invokes `anumati`.
Impact
Can alter local `.claude` permissions/settings and auto-allow matched Bash commands; risk is lifecycle/capability scope, not observed malware.
Mechanism
explicit Claude Code hook/config management and command allow-rule evaluation
Rationale
Source inspection shows an explicit Claude Code hook manager with local config/log writes and no install-time agent hijack, exfiltration, or remote payload execution. Because it intentionally mutates an AI-agent control surface on user command and can auto-approve commands, treat as a warning-level agent extension lifecycle risk rather than malware.
Evidence
package.jsondist/index.jsdist/config.jsdist/cli/init.jsdist/cli/settings.jsdist/cli/steer.jsdist/notify.jsdist/audit.jsdist/suggest-store.js~/.claude/permissions.json<cwd>/.claude/permissions.json~/.claude/settings.json<cwd>/.claude/settings.json~/.claude/CLAUDE.md<cwd>/.claude/CLAUDE.md~/.claude/anumati-audit.jsonl~/.claude/anumati-passthrough.jsonl~/.claude/anumati-suggestions.jsonl
Network endpoints3
github.com/adityamatt/anumatigithub.com/adityamatt/anumati/issuesgithub.com/adityamatt/anumati#readme

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/init.js writes Claude Code permissions config, audit logs, settings hook, and CLAUDE.md when user runs `anumati init`.
  • dist/cli/settings.js merges a Bash PreToolUse hook and optional SessionStart hook into `.claude/settings.json`.
  • dist/cli/steer.js writes a managed guidance block into adjacent `CLAUDE.md`.
  • dist/notify.js can spawn a configured or platform sound command on hook passthrough.
Evidence against
  • package.json has no preinstall/install/postinstall hook; prepare only runs `npm run build`.
  • dist/index.js runtime reads stdin/config and emits allow or passthrough hook JSON; no import-time network or payload fetch.
  • Agent settings mutation is explicit user-command setup, package-aligned, idempotent, and preserves existing settings.
  • No credential harvesting, exfiltration endpoint, destructive action, obfuscated payload, or remote code loading found.
  • Network URLs are repository/docs metadata only.
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 175 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
dist/cli/init.jsView file
Published source reference
Medium
Ai Review Evidence

dist/cli/init.js writes Claude Code permissions config, audit logs, settings hook, and CLAUDE.md when user runs `anumati init`.

dist/cli/init.jsView on unpkg
dist/cli/settings.jsView file
Published source reference
Medium
Ai Review Evidence

dist/cli/settings.js merges a Bash PreToolUse hook and optional SessionStart hook into `.claude/settings.json`.

dist/cli/settings.jsView on unpkg
dist/cli/steer.jsView file
Published source reference
Medium
Ai Review Evidence

dist/cli/steer.js writes a managed guidance block into adjacent `CLAUDE.md`.

dist/cli/steer.jsView on unpkg
dist/notify.jsView file
Published source reference
Medium
Ai Review Evidence

dist/notify.js can spawn a configured or platform sound command on hook passthrough.

dist/notify.jsView on unpkg

Findings

4 Medium5 Low
MediumAi Review Evidencedist/cli/init.js
MediumAi Review Evidencedist/cli/settings.js
MediumAi Review Evidencedist/cli/steer.js
MediumAi Review Evidencedist/notify.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings