AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Running the package starts a localhost panel and automatically persists a shell-level `claude` wrapper unless disabled. The wrapper routes future Claude Code API traffic through a localhost capture proxy, which records sensitive session content locally.
Decision evidence
public snapshot- `server.js` automatically installs a persistent `claude` shell wrapper on first panel startup.
- The wrapper redirects Claude traffic to a local inspector proxy and persists captured prompts, tool definitions, responses, and thinking.
- `server.js` appends captures to `~/.claude/panel-captures.jsonl`.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- The proxy binds only to `127.0.0.1` and forwards requests to `api.anthropic.com`.
- No external exfiltration endpoint, remote payload loader, eval, or destructive behavior was found.
- Shell/profile mutation is reached only after the user runs the package entrypoint.
Source & flagged code
3 flagged · loading sourceSource writes persistence or remote-access backdoor material.
server.jsView on unpkg · L10A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
server.jsView on unpkg · L10Package ships non-JavaScript build or shell helper files.
scripts/gen-demo-data.pyView on unpkg