registry  /  claude-loadout  /  0.3.54

claude-loadout@0.3.54

Profile your project and gear up your coding agent with the right MCP servers, skills, and hooks. Claude Code, Codex, Cursor, opencode, Gemini CLI & OpenClaw. A recommender + installer, not a list you read.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an agent setup CLI that can modify AI-agent MCP and Claude settings only when the user runs commands to apply recommendations.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user invocation of the loadout CLI with interactive selection, --all, doctor --fix, apply, or target flags.
Impact
Configures agent capabilities and optional hooks; risky if users accept broad MCP/tools, but not lifecycle-triggered or covert.
Mechanism
Documented config merge for selected MCP servers and Claude hooks/settings.
Rationale
Static inspection shows a documented, user-invoked recommender/installer for MCP servers, skills, and Claude hooks with no install-time execution, exfiltration, stealth persistence, or remote payload execution by the package itself. The agent config writes are package-aligned and opt-in at runtime, so the scanner's dangerous primitives are explained by the product function.
Evidence
package.jsoncli/index.jscli/lib/apply.mjscli/lib/targets.mjscli/lib/manifest.mjscli/lib/doctor.mjsplugins/loadout/catalog/mcp.jsonplugins/loadout/catalog/hooks.jsonplugins/loadout/catalog/skills.json.mcp.json.claude/settings.json.cursor/mcp.json.gemini/settings.jsonopencode.json.codex/config.toml~/.openclaw/openclaw.json.loadout.json
Network endpoints2
api.githubcopilot.com/mcp/mcp.sentry.dev/mcp

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked CLI can write AI-agent config files: .mcp.json, .claude/settings.json, .cursor/mcp.json, .gemini/settings.json, opencode.json, .codex/config.toml, ~/.openclaw/openclaw.json.
  • Catalog MCP entries include runtime package launchers such as npx -y and some @latest package args in plugins/loadout/catalog/mcp.json.
  • Catalog hooks add Claude Code shell commands to .claude/settings.json for formatting, linting, secret-read blocking, and git-push blocking.
Evidence against
  • package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly only runs tests before publishing.
  • cli/index.js requires explicit CLI actions, interactive confirmation, --all, --fix, --ids, or manifest apply before writes occur.
  • cli/lib/apply.mjs and cli/lib/targets.mjs only merge selected catalog entries into documented agent config paths; no stealth persistence or destructive logic found.
  • cli/lib/doctor.mjs uses child_process only for commandExists via which/where during user-invoked audit, not to execute package payloads.
  • No credential harvesting or exfiltration code found; token strings are placeholders or user warnings.
  • Skills/reference items are printed as manual install commands rather than auto-installed.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 80.1 KB of source, external domains: github.com, opencode.ai

Source & flagged code

4 flagged · loading source
cli/lib/doctor.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-loadout@0.3.46 matchedIdentity = npm:Y2xhdWRlLWxvYWRvdXQ:0.3.46 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/lib/doctor.mjsView on unpkg
3import { openclawConfigPath } from "./paths.mjs"; L4: import { execSync } from "node:child_process"; L5: import { loadCatalog } from "./catalog.mjs";
High
Child Process

Package source references child process execution.

cli/lib/doctor.mjsView on unpkg · L3
73findings.fix.push({ L74: msg: "POSIX Ruff hook detected — re-run loadout on Windows to apply lint-python-on-edit-win (PowerShell, no jq)", L75: file: ".claude/settings.json",
High
Shell

Package source references shell execution.

cli/lib/doctor.mjsView on unpkg · L73
427msg: hasAuto L428: ? `Loadout would still suggest: ${names} — run npx claude-loadout doctor --fix` L429: : onlyPlugins ... L437: const cmd = process.platform === "win32" ? `where ${name}` : `which ${name}`; L438: execSync(cmd, { stdio: "ignore" }); L439: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli/lib/doctor.mjsView on unpkg · L427

Findings

1 Critical3 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltacli/lib/doctor.mjs
HighChild Processcli/lib/doctor.mjs
HighShellcli/lib/doctor.mjs
HighRuntime Package Installcli/lib/doctor.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings