registry  /  catalyst-os  /  3.1.1

catalyst-os@3.1.1

AI-native spec-driven development framework for Claude Code

AI Security Review

scanned 9d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time script drops AI-agent control files into the current working directory. This can alter Claude Code agent behavior and project instructions without an explicit runtime command from the user.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall lifecycle or invoking catalyst-os bin
Impact
Project .claude agents, commands, skills, AGENTS.md, and .catalyst framework files may be created or overwritten, changing AI-agent behavior in the consuming project.
Mechanism
unconsented AI-agent control-surface file copy/overwrite
Policy narrative
On install, package.json runs .catalyst/bin/install.js. That script recursively copies packaged Claude agents, commands, and skills into process.cwd(), writes AGENTS.md and .catalyst files, creates a local secrets template, and appends .gitignore. Although this matches the package's advertised Claude framework purpose and no exfiltration was found, lifecycle mutation of AI-agent control files is a concrete unconsented control-surface change.
Rationale
Source inspection confirms install-time mutation of Claude/AI-agent control files in the target cwd; this is the relevant concrete attack surface, not the optional voice networking. No credential theft or destructive behavior was found, but the lifecycle control-surface overwrite is sufficient to block under the firewall policy. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.json.catalyst/bin/install.js.catalyst/voice/meet-server.js.claude/hooks/forge-session-rename.sh.claude/settings.json.claude/agents或 .claude/commands.claude/skills.catalyst/spec-structure.yaml.catalyst/main/temp.catalyst/main/project-config.yaml.catalyst/voice.catalyst/specs.catalyst/secrets.local.yaml.gitignoreAGENTS.md
Network endpoints3
api.elevenlabs.io/v1/convai/conversation/get-signed-urlesm.sh/@elevenlabs/clientcdn.jsdelivr.net/npm/marked@12/marked.min.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node .catalyst/bin/install.js
  • install.js copies package .claude/agents, .claude/commands, .claude/skills into process.cwd()
  • install.js overwrites existing .claude/agents after warning, without consent gate
  • install.js writes AGENTS.md and .catalyst files into the target cwd
  • Package ships Claude agent/control content under .claude/agents and .claude/skills
Evidence against
  • No credential harvesting or exfiltration found in install.js
  • Network use found only in optional .catalyst/voice/meet-server.js, not lifecycle
  • Shell hooks are shipped but not copied by install.js
  • Voice server reads local ElevenLabs key only when user starts meeting server
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node .catalyst/bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node .catalyst/bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
.catalyst/bin/install.jsView file
1Install-time AI-agent control hijack evidence: L41: ${yellow}What gets installed:${reset} L42: ${dim}.claude/${reset} Agents, skills, and slash commands L43: ${dim}.catalyst/${reset} Spec templates and project config ... L60: function copyDir(srcDir, destDir) { L61: fs.mkdirSync(destDir, { recursive: true }); L62: ... L71: } else { L72: fs.copyFileSync(srcPath, destPath); L73: } ... L81: if (fs.existsSync(src)) { L82: fs.mkdirSync(path.dirname(dest), { recursive: true }); L83: fs.copyFileSync(src, dest); Payload evidence from .claude/settings.json: L1: { L2: "hooks": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

.catalyst/bin/install.jsView on unpkg · L1
.claude/hooks/forge-session-rename.shView file
path = .claude/hooks/forge-session-rename.sh kind = payload_in_excluded_dir sizeBytes = 541 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/hooks/forge-session-rename.shView on unpkg
path = .claude/hooks/forge-session-rename.sh kind = build_helper sizeBytes = 541 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude/hooks/forge-session-rename.shView on unpkg

Findings

1 Critical2 High3 Medium1 Low
CriticalAi Agent Control Hijack.catalyst/bin/install.js
HighInstall Time Lifecycle Scriptspackage.json
HighPayload In Excluded Dir.claude/hooks/forge-session-rename.sh
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helper.claude/hooks/forge-session-rename.sh
MediumStructural Risk Force Deep Review
LowScripts Present