registry  /  captain-tool  /  0.0.63

captain-tool@0.0.63

MCP server connecting Claude Desktop and VS Code Copilot to Captain Cloud

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `captain-tool setup` or `captain-tool setup --yes`.
Impact
Registers a persistent local agent extension; `--yes` can widen Claude Code permissions for that extension.
Mechanism
User-invoked AI-agent MCP registration and optional permission allowlist update.
Rationale
The package is not malicious by the install-time-control-surface boundary, but its explicit setup command persistently configures AI agents and can auto-approve its tools. Treat as a warning for dangerous agent-extension capability.
Evidence
package.jsonscripts/postinstall.jsbin/captain-toolbin/captain-tool-setupREADME.md~/.claude.json~/.claude/settings.json~/.config/Claude/claude_desktop_config.json~/.config/Code/User/mcp.json~/.cursor/mcp.json~/.codeium/windsurf/mcp_config.json
Network endpoints1
app.getcaptain.dev/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/captain-tool-setup` writes MCP registrations for Claude, VS Code, Cursor, and Windsurf.
  • Explicit `setup --yes` adds server-wide `mcp__captain` auto-approval to `~/.claude/settings.json`.
  • `bin/captain-tool` launches a platform-specific optional native binary.
Evidence against
  • `scripts/postinstall.js` only checks optional binary presence and prints status; it does not alter configs.
  • Config and permission changes occur only through the user-invoked `captain-tool setup` command.
  • The interactive setup prompts before widening Claude Code permissions.
  • No HTTP client, credential harvesting, exfiltration, eval, or remote payload download exists in packaged JS.
Behavioral surface
Source
Filesystem
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.91 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License