registry  /  claude-loadout  /  0.3.53

claude-loadout@0.3.53

Profile your project and gear up your coding agent with the right MCP servers, skills, and hooks. Claude Code, Codex, Cursor, opencode, Gemini CLI & OpenClaw. A recommender + installer, not a list you read.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs loadout CLI with interactive selection, --all/--yes, apply, or doctor --fix
Impact
Can add MCP servers and Claude Code hook commands to project or selected agent config files; downstream MCP packages or hooks then run under those agents.
Mechanism
user-invoked AI-agent MCP and hook configuration writer
Rationale
Source inspection shows a user-invoked recommender/installer for MCP servers and Claude hooks, not lifecycle-triggered control-surface hijacking. Because it intentionally writes agent configs and can register auto-updating MCP commands, warn on dangerous agent-facing capability rather than block as malware.
Evidence
package.jsoncli/index.jscli/lib/apply.mjscli/lib/targets.mjscli/lib/doctor.mjscli/lib/manifest.mjsplugins/loadout/catalog/mcp.jsonplugins/loadout/catalog/hooks.json.mcp.json.claude/settings.json.cursor/mcp.json.gemini/settings.jsonopencode.json.codex/config.toml~/.openclaw/openclaw.json.loadout.json
Network endpoints2
api.githubcopilot.com/mcp/mcp.sentry.dev/mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli/lib/apply.mjs writes selected MCP entries to .mcp.json and Claude hooks/settings to .claude/settings.json.
  • cli/lib/targets.mjs can write MCP config for Cursor, Gemini, opencode, Codex, and home-scoped OpenClaw when selected.
  • plugins/loadout/catalog/mcp.json includes npx/uvx MCP server registrations and hosted MCP URLs.
  • plugins/loadout/catalog/hooks.json contains Claude Code hook commands that run formatter/guard shell commands during agent tool events.
Evidence against
  • package.json has no install/postinstall/prepare lifecycle; prepublishOnly is publisher-side npm test only.
  • cli/index.js requires explicit CLI use; non-interactive apply requires --all/--yes or explicit apply/doctor --fix actions.
  • doctor.mjs child_process use is limited to which/where PATH checks for hook dependencies.
  • No credential harvesting, exfiltration, remote code download executed by package code, obfuscation, or destructive behavior found.
  • Skill/reference entries are returned as manual install commands rather than auto-written by apply.mjs.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 79.8 KB of source, external domains: github.com, opencode.ai

Source & flagged code

4 flagged · loading source
cli/lib/doctor.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-loadout@0.3.46 matchedIdentity = npm:Y2xhdWRlLWxvYWRvdXQ:0.3.46 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/lib/doctor.mjsView on unpkg
3import { openclawConfigPath } from "./paths.mjs"; L4: import { execSync } from "node:child_process"; L5: import { loadCatalog } from "./catalog.mjs";
High
Child Process

Package source references child process execution.

cli/lib/doctor.mjsView on unpkg · L3
73findings.fix.push({ L74: msg: "POSIX Ruff hook detected — re-run loadout on Windows to apply lint-python-on-edit-win (PowerShell, no jq)", L75: file: ".claude/settings.json",
High
Shell

Package source references shell execution.

cli/lib/doctor.mjsView on unpkg · L73
426msg: hasAuto L427: ? `Loadout would still suggest: ${names} — run npx claude-loadout doctor --fix` L428: : `Loadout would still suggest: ${names} — run npx claude-loadout doctor --fix for skill install steps`, ... L434: const cmd = process.platform === "win32" ? `where ${name}` : `which ${name}`; L435: execSync(cmd, { stdio: "ignore" }); L436: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli/lib/doctor.mjsView on unpkg · L426

Findings

1 Critical3 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltacli/lib/doctor.mjs
HighChild Processcli/lib/doctor.mjs
HighShellcli/lib/doctor.mjs
HighRuntime Package Installcli/lib/doctor.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings