AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Automatic installation mutates a consuming project's Claude Code control surface. It drops active hook configuration and hook scripts, including a formatter hook that can download tools through `npx` when triggered by later agent edits. No confirmed credential exfiltration or destructive behavior was found.
Decision evidence
public snapshot- `package.json` runs `postinstall` automatically.
- `.catalyst/bin/install.js` copies agents, commands, skills, rules, hooks, and settings into the consuming project's `.claude/`.
- `.claude/settings.json` activates copied hooks for Claude Code events.
- `.claude/hooks/post-edit-format.sh` invokes `npx --yes` formatters after agent edits.
- Installer has no credential harvesting, exfiltration, eval, or remote-payload execution.
- Installer network use is absent; it creates only an empty local ElevenLabs key template.
- Voice server is user-invoked local functionality and sends its key only to ElevenLabs.
- Hooks are package-aligned automation, though installed through `postinstall`.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
.catalyst/bin/install.jsView on unpkg · L1Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/hooks/forge-session-rename.shView on unpkgPackage ships non-JavaScript build or shell helper files.
.claude/hooks/forge-session-rename.shView on unpkg