registry  /  catalyst-os  /  3.4.1

catalyst-os@3.4.1

AI-native spec-driven development framework for Claude Code

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Automatic installation mutates a consuming project's Claude Code control surface. It drops active hook configuration and hook scripts, including a formatter hook that can download tools through `npx` when triggered by later agent edits. No confirmed credential exfiltration or destructive behavior was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation runs `postinstall`; later Claude Code hook events trigger installed hooks.
Impact
Project-level AI-agent behavior is changed without an explicit setup command.
Mechanism
postinstall deployment of Claude Code configuration, hooks, and agent assets
Rationale
Source inspection confirms an automatic project-level AI-agent extension installation, creating meaningful lifecycle risk. Its behavior is package-aligned and lacks a concrete malicious chain, so this warrants a warning rather than a block.
Evidence
package.json.catalyst/bin/install.js.claude/settings.json.claude/hooks/post-edit-format.sh.catalyst/voice/meet-server.js.claude/hooks/forge-session-rename.sh.claude/hooks/pre-compact-save.sh./.claude/agents./.claude/commands./.claude/skills./.claude/rules./.claude/hooks./.claude/settings.json./.catalyst/secrets.local.yaml./.gitignore./AGENTS.md
Network endpoints1
api.elevenlabs.io/v1/convai/conversation/get-signed-url?agent_id=${AGENT_ID}

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall` automatically.
  • `.catalyst/bin/install.js` copies agents, commands, skills, rules, hooks, and settings into the consuming project's `.claude/`.
  • `.claude/settings.json` activates copied hooks for Claude Code events.
  • `.claude/hooks/post-edit-format.sh` invokes `npx --yes` formatters after agent edits.
Evidence against
  • Installer has no credential harvesting, exfiltration, eval, or remote-payload execution.
  • Installer network use is absent; it creates only an empty local ElevenLabs key template.
  • Voice server is user-invoked local functionality and sends its key only to ElevenLabs.
  • Hooks are package-aligned automation, though installed through `postinstall`.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node .catalyst/bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node .catalyst/bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
.catalyst/bin/install.jsView file
1Install-time AI-agent control hijack evidence: L41: ${yellow}What gets installed:${reset} L42: ${dim}.claude/${reset} Agents, skills, and slash commands L43: ${dim}.catalyst/${reset} Spec templates and project config ... L60: function copyDir(srcDir, destDir) { L61: fs.mkdirSync(destDir, { recursive: true }); L62: ... L71: } else { L72: fs.copyFileSync(srcPath, destPath); L73: } ... L81: if (fs.existsSync(src)) { L82: fs.mkdirSync(path.dirname(dest), { recursive: true }); L83: fs.copyFileSync(src, dest); Payload evidence from .claude/settings.json: L1: { L2: "hooks": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

.catalyst/bin/install.jsView on unpkg · L1
.claude/hooks/forge-session-rename.shView file
path = .claude/hooks/forge-session-rename.sh kind = payload_in_excluded_dir sizeBytes = 541 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/hooks/forge-session-rename.shView on unpkg
path = .claude/hooks/forge-session-rename.sh kind = build_helper sizeBytes = 541 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude/hooks/forge-session-rename.shView on unpkg

Findings

1 Critical2 High3 Medium1 Low
CriticalAi Agent Control Hijack.catalyst/bin/install.js
HighInstall Time Lifecycle Scriptspackage.json
HighPayload In Excluded Dir.claude/hooks/forge-session-rename.sh
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helper.claude/hooks/forge-session-rename.sh
MediumStructural Risk Force Deep Review
LowScripts Present