registry  /  byteplan-code-cli  /  1.0.10

byteplan-code-cli@1.0.10

BytePlan Code CLI - Command line tool for BytePlan authentication and user management

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The main risk is explicit user-command installation/removal of bundled skills into Claude Code's skills directory, plus normal CLI credential storage for BytePlan login.

Static reason
No blocking static signals were detected.
Trigger
User runs bp-code skill install/remove, bp-code login, or authenticated BytePlan CLI commands.
Impact
Can modify ~/.claude/skills and ~/.byteplan config only when invoked; no install-time persistence or exfiltration confirmed.
Mechanism
User-invoked CLI file operations and BytePlan API calls
Rationale
Static inspection shows explicit user-command agent skill installation/removal and credential storage, but no lifecycle hook abuse or concrete malicious chain. Per policy this should warn rather than block.
Evidence
package.jsonsrc/cli.jssrc/api/core.jssrc/api/auth.jssrc/commands/skill.jssrc/archive.jsskills/web-api-capture/scripts/capture.py~/.claude/skills/<skill>~/.byteplan/.env~/.byteplan/.env.<env>~/.byteplan/pages/<pageId>/<tagId>
Network endpoints4
dev.byteplan.comuatapp.byteplan.combyteplan.51fubei.comgrafana.ops.byteplan.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/commands/skill.js explicitly copies bundled skills into default ~/.claude/skills on user command.
  • src/commands/skill.js can remove target skill directories via skill remove, but only as an explicit CLI subcommand.
  • src/api/auth.js stores BytePlan credentials and tokens in ~/.byteplan/.env.<env> after login.
  • src/archive.js uses spawnSync mkdir/cp to archive user-provided frontend source under ~/.byteplan/pages.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • src/cli.js only registers commander commands; write commands require --yes unless BP_NO_CONFIRM=1.
  • Network use is aligned to BytePlan/Grafana API operations, not arbitrary exfiltration endpoints.
  • No eval/vm/Function, native binary loading, obfuscated payload, or import-time remote execution found.
  • Claude skills mutation is explicit user-command setup, not unconsented install-time control-surface mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 367 KB of source, external domains: byteplan.51fubei.com, dev.byteplan.com, grafana.ops.byteplan.com, uatapp.byteplan.com

Source & flagged code

1 flagged · loading source
skills/web-api-capture/scripts/capture.pyView file
path = skills/web-api-capture/scripts/capture.py kind = build_helper sizeBytes = 4463 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/web-api-capture/scripts/capture.pyView on unpkg

Findings

4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperskills/web-api-capture/scripts/capture.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings