AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `captain-tool setup` or `captain-tool setup --yes`.
Impact
Registers a persistent local agent extension; `--yes` can widen Claude Code permissions for that extension.
Mechanism
User-invoked AI-agent MCP registration and optional permission allowlist update.
Rationale
The package is not malicious by the install-time-control-surface boundary, but its explicit setup command persistently configures AI agents and can auto-approve its tools. Treat as a warning for dangerous agent-extension capability.
Evidence
package.jsonscripts/postinstall.jsbin/captain-toolbin/captain-tool-setupREADME.md~/.claude.json~/.claude/settings.json~/.config/Claude/claude_desktop_config.json~/.config/Code/User/mcp.json~/.cursor/mcp.json~/.codeium/windsurf/mcp_config.json
Network endpoints1
app.getcaptain.dev/
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/captain-tool-setup` writes MCP registrations for Claude, VS Code, Cursor, and Windsurf.
- Explicit `setup --yes` adds server-wide `mcp__captain` auto-approval to `~/.claude/settings.json`.
- `bin/captain-tool` launches a platform-specific optional native binary.
Evidence against
- `scripts/postinstall.js` only checks optional binary presence and prints status; it does not alter configs.
- Config and permission changes occur only through the user-invoked `captain-tool setup` command.
- The interactive setup prompts before widening Claude Code permissions.
- No HTTP client, credential harvesting, exfiltration, eval, or remote payload download exists in packaged JS.
Behavioral surface
Filesystem
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License