registry  /  claude-loadout  /  0.3.56

claude-loadout@0.3.56

Profile your project and gear up your coding agent with the right MCP servers, skills, and hooks. Claude Code, Codex, Cursor, opencode, Gemini CLI & OpenClaw. A recommender + installer, not a list you read.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

The package is a user-invoked AI-agent setup CLI that recommends and writes MCP and Claude hook configuration. The agent-control writes are explicit CLI behavior, not npm install-time mutation, and no exfiltration or stealth persistence was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs loadout CLI with interactive apply, --all, doctor --fix, apply, or --target flags
Impact
Can add MCP server launch configs and local hook commands to agent configuration files selected by the user
Mechanism
User-approved config writer for MCP servers and Claude hooks
Rationale
Static inspection shows potentially sensitive AI-agent configuration writes, but they are package-aligned, documented, and activated by explicit CLI commands rather than npm lifecycle execution. I found no concrete malicious behavior such as credential exfiltration, hidden install-time control-surface mutation, remote code loading, or persistence.
Evidence
package.jsoncli/index.jscli/lib/apply.mjscli/lib/targets.mjscli/lib/doctor.mjsplugins/loadout/catalog/mcp.jsonplugins/loadout/catalog/hooks.json.mcp.json.claude/settings.json.cursor/mcp.json.gemini/settings.jsonopencode.json.codex/config.toml~/.openclaw/openclaw.json.loadout.json

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
  • cli/lib/apply.mjs can write selected MCP entries to .mcp.json and hooks/settings to .claude/settings.json
  • cli/lib/targets.mjs can write MCP config for Cursor, Gemini, opencode, Codex, and OpenClaw targets
  • plugins/loadout/catalog/mcp.json includes user-invoked npx/uvx MCP server commands, some with @latest
  • plugins/loadout/catalog/hooks.json contains Claude Code hook commands that run formatters/guards on agent events
Evidence against
  • package.json has no install/postinstall lifecycle; prepublishOnly is publisher-side npm test only
  • cli/index.js gates writes behind interactive selection, --all, doctor --fix, apply, or target flags
  • cli/lib/doctor.mjs uses execSync only for local which/where dependency checks
  • No source evidence of credential harvesting, exfiltration, remote payload fetch/execute, or destructive persistence
  • Skill/community entries are presented as manual install commands rather than auto-written
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 81.0 KB of source, external domains: github.com, opencode.ai

Source & flagged code

4 flagged · loading source
cli/lib/doctor.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-loadout@0.3.46 matchedIdentity = npm:Y2xhdWRlLWxvYWRvdXQ:0.3.46 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/lib/doctor.mjsView on unpkg
3import { openclawConfigPath } from "./paths.mjs"; L4: import { execSync } from "node:child_process"; L5: import { loadCatalog } from "./catalog.mjs";
High
Child Process

Package source references child process execution.

cli/lib/doctor.mjsView on unpkg · L3
93findings.fix.push({ L94: msg: "POSIX Ruff hook detected — re-run loadout on Windows to apply lint-python-on-edit-win (PowerShell, no jq)", L95: file: ".claude/settings.json",
High
Shell

Package source references shell execution.

cli/lib/doctor.mjsView on unpkg · L93
447msg: hasAuto L448: ? `Loadout would still suggest: ${names} — run npx claude-loadout doctor --fix` L449: : onlyPlugins ... L457: const cmd = process.platform === "win32" ? `where ${name}` : `which ${name}`; L458: execSync(cmd, { stdio: "ignore" }); L459: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli/lib/doctor.mjsView on unpkg · L447

Findings

1 Critical3 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltacli/lib/doctor.mjs
HighChild Processcli/lib/doctor.mjs
HighShellcli/lib/doctor.mjs
HighRuntime Package Installcli/lib/doctor.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings