AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package mutates the Claude/AI-agent control surface at npm install time by dropping a package-supplied skill into the user's Claude config. Runtime wrappers also impersonate the claude command and write Claude config defaults that route Anthropic traffic to a local Bingo service.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/install-skills.cjs.
- scripts/install-skills.cjs copies bundled .claude/skills/* into $CLAUDE_CONFIG_DIR or ~/.claude/skills during install.
- .claude/skills/leanchy/SKILL.md is an AI-agent behavior protocol, installed without a user invocation path.
- package ships bin name "claude" pointing to bin/claude-win.cjs/bin/claude, creating a Claude CLI impersonation/control surface.
- bin/claude and bin/bingocode-win.cjs write default config to ~/.claude/bingo/settings.json pointing ANTHROPIC_BASE_URL at localhost.
- .claude/settings.local.json contains package-local Claude permission allow rules for bash/read commands.
- No credential exfiltration code confirmed in inspected install script or bin wrappers.
- Observed network endpoints are mostly local proxy/health checks or Anthropic-aligned service URLs.
- Bundled native rg.exe appears to be a ripgrep utility dependency artifact.
- Postinstall skips if .claude/skills is absent and does not overwrite existing skill directories.
Source & flagged code
16 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a possible secret pattern.
src/utils/powershell/parser.tsView on unpkg · L1343Source file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/claude-win.cjsView on unpkgPackage source references weak cryptographic algorithms.
src/utils/plugins/mcpbHandler.tsView on unpkg · L4Source writes installer persistence such as shell profile or service configuration.
src/utils/deepLink/registerProtocol.tsView on unpkg · L40A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/utils/ide.tsView on unpkg · L1354Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/install-skills.cjsView on unpkg · L2Package source invokes a package manager install command at runtime.
bin/bingo-win.cjsView on unpkg · L87Source file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/bingo-win.cjsView on unpkgPackage ships native binary artifacts.
src/utils/vendor/ripgrep/x64-win32/rg.exeView on unpkgPackage ships non-JavaScript build or shell helper files.
runtime/win_helper.pyView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/bingocode-win.cjsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
src/main.tsxView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
src/tools/SkillTool/SkillTool.tsView on unpkg