AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The main risk is explicit user-command installation/removal of bundled skills into Claude Code's skills directory, plus normal CLI credential storage for BytePlan login.
Static reason
No blocking static signals were detected.
Trigger
User runs bp-code skill install/remove, bp-code login, or authenticated BytePlan CLI commands.
Impact
Can modify ~/.claude/skills and ~/.byteplan config only when invoked; no install-time persistence or exfiltration confirmed.
Mechanism
User-invoked CLI file operations and BytePlan API calls
Rationale
Static inspection shows explicit user-command agent skill installation/removal and credential storage, but no lifecycle hook abuse or concrete malicious chain. Per policy this should warn rather than block.
Evidence
package.jsonsrc/cli.jssrc/api/core.jssrc/api/auth.jssrc/commands/skill.jssrc/archive.jsskills/web-api-capture/scripts/capture.py~/.claude/skills/<skill>~/.byteplan/.env~/.byteplan/.env.<env>~/.byteplan/pages/<pageId>/<tagId>
Network endpoints4
dev.byteplan.comuatapp.byteplan.combyteplan.51fubei.comgrafana.ops.byteplan.com
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/commands/skill.js explicitly copies bundled skills into default ~/.claude/skills on user command.
- src/commands/skill.js can remove target skill directories via skill remove, but only as an explicit CLI subcommand.
- src/api/auth.js stores BytePlan credentials and tokens in ~/.byteplan/.env.<env> after login.
- src/archive.js uses spawnSync mkdir/cp to archive user-provided frontend source under ~/.byteplan/pages.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- src/cli.js only registers commander commands; write commands require --yes unless BP_NO_CONFIRM=1.
- Network use is aligned to BytePlan/Grafana API operations, not arbitrary exfiltration endpoints.
- No eval/vm/Function, native binary loading, obfuscated payload, or import-time remote execution found.
- Claude skills mutation is explicit user-command setup, not unconsented install-time control-surface mutation.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceskills/web-api-capture/scripts/capture.pyView file
•path = skills/web-api-capture/scripts/capture.py
kind = build_helper
sizeBytes = 4463
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
skills/web-api-capture/scripts/capture.pyView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperskills/web-api-capture/scripts/capture.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings