registry  /  claude-loadout  /  0.3.55

claude-loadout@0.3.55

Profile your project and gear up your coding agent with the right MCP servers, skills, and hooks. Claude Code, Codex, Cursor, opencode, Gemini CLI & OpenClaw. A recommender + installer, not a list you read.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a documented user-invoked recommender/installer for AI-agent MCP and Claude settings, with writes gated by CLI commands and prompts rather than npm lifecycle execution.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs loadout CLI apply/doctor --fix/--all or selects recommendations interactively.
Impact
Can add MCP servers and Claude hooks/settings chosen from bundled catalogs; no unconsented install-time mutation observed.
Mechanism
User-approved agent configuration writer and catalog recommender.
Rationale
Static inspection shows agent-control-surface writes and runtime package launches are core, documented, user-invoked package behavior with interactive/noninteractive guards and no npm lifecycle delivery. No source evidence of credential theft, exfiltration, persistence, destructive action, or unconsented foreign agent hijack was found.
Evidence
package.jsoncli/index.jscli/lib/apply.mjscli/lib/targets.mjscli/lib/doctor.mjscli/lib/manifest.mjsplugins/loadout/catalog/mcp.jsonplugins/loadout/catalog/hooks.jsonplugins/loadout/catalog/skills.json.mcp.json.claude/settings.json.cursor/mcp.json.gemini/settings.jsonopencode.json.codex/config.toml~/.openclaw/openclaw.json.loadout.json
Network endpoints2
api.githubcopilot.com/mcp/mcp.sentry.dev/mcp

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked CLI can write agent configs: .mcp.json, .claude/settings.json, .cursor/mcp.json, .gemini/settings.json, opencode.json, .codex/config.toml, ~/.openclaw/openclaw.json.
  • Catalog includes MCP entries launched via npx/uvx, some pinned to @latest, but only after interactive selection, --all, --fix, or apply commands.
  • cli/lib/doctor.mjs uses execSync only for local PATH checks via which/where.
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly runs tests only for publishing.
  • cli/index.js defaults to preview plus interactive prompt; non-TTY requires --all to apply.
  • Skills/reference entries are returned as manual install commands, not auto-written.
  • No credential harvesting or exfiltration code found; token strings are placeholders reported back to the user.
  • No remote code download/eval/vm/native binary loading found in package source.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 80.7 KB of source, external domains: github.com, opencode.ai

Source & flagged code

4 flagged · loading source
cli/lib/doctor.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-loadout@0.3.46 matchedIdentity = npm:Y2xhdWRlLWxvYWRvdXQ:0.3.46 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/lib/doctor.mjsView on unpkg
3import { openclawConfigPath } from "./paths.mjs"; L4: import { execSync } from "node:child_process"; L5: import { loadCatalog } from "./catalog.mjs";
High
Child Process

Package source references child process execution.

cli/lib/doctor.mjsView on unpkg · L3
93findings.fix.push({ L94: msg: "POSIX Ruff hook detected — re-run loadout on Windows to apply lint-python-on-edit-win (PowerShell, no jq)", L95: file: ".claude/settings.json",
High
Shell

Package source references shell execution.

cli/lib/doctor.mjsView on unpkg · L93
447msg: hasAuto L448: ? `Loadout would still suggest: ${names} — run npx claude-loadout doctor --fix` L449: : onlyPlugins ... L457: const cmd = process.platform === "win32" ? `where ${name}` : `which ${name}`; L458: execSync(cmd, { stdio: "ignore" }); L459: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli/lib/doctor.mjsView on unpkg · L447

Findings

1 Critical3 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltacli/lib/doctor.mjs
HighChild Processcli/lib/doctor.mjs
HighShellcli/lib/doctor.mjs
HighRuntime Package Installcli/lib/doctor.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings