AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The notable risk is explicit user-command installation/removal of bundled Claude skills and user-command credential storage for BytePlan/Grafana workflows.
Static reason
No blocking static signals were detected.
Trigger
User runs CLI commands such as `bp-code skill install`, `bp-code login`, or `bp-code logs`.
Impact
Can write local BytePlan config/tokens and install package-owned skills into Claude's skills directory when requested by the user.
Mechanism
user-invoked BytePlan CLI and bundled skill installer
Rationale
The package is not malicious by source inspection, but explicit Claude skill installation/removal is an AI-agent extension control-surface mutation that merits a warn rather than a publish block. No unconsented install-time action or unrelated exfiltration path was found.
Evidence
package.jsonsrc/cli.jssrc/api/core.jssrc/api/auth.jssrc/commands/auth.jssrc/commands/skill.jssrc/api/logs.jssrc/commands/logs.jssrc/archive.jsskills/web-api-capture/scripts/capture.py~/.byteplan/.env~/.byteplan/pages/<pageId>/<tagId>~/.claude/skills/<skillName>CAPTURE_OUT/manifest.jsonCAPTURE_OUT/*.json
Network endpoints4
dev.byteplan.comuatapp.byteplan.combyteplan.51fubei.comgrafana.ops.byteplan.com
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- src/commands/skill.js provides explicit `bp-code skill install/remove` commands that write/remove bundled skills under `~/.claude/skills` by default.
- src/commands/auth.js and src/api/auth.js save BytePlan credentials/tokens to `~/.byteplan/.env` after user-invoked login.
- skills/web-api-capture/scripts/capture.py can capture browser XHR/Fetch bodies to CAPTURE_OUT, but is a bundled helper run explicitly by users.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- src/cli.js only registers commander subcommands; no install-time execution.
- Network calls are to BytePlan/Grafana product endpoints in src/api/*.js and require user CLI commands.
- No evidence of credential exfiltration to unrelated hosts, remote payload loading, persistence, or destructive install-time behavior.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceskills/web-api-capture/scripts/capture.pyView file
•path = skills/web-api-capture/scripts/capture.py
kind = build_helper
sizeBytes = 4463
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
skills/web-api-capture/scripts/capture.pyView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperskills/web-api-capture/scripts/capture.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings