AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious payload or exfiltration chain was found. The real risk is install-time first-party Claude hook repair across user/project settings plus explicit setup that installs Claude hooks and skills.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/postinstall.js || true
- scripts/postinstall.js creates ~/.claude-recall and writes projects.json for cwd when not inside package/node_modules
- scripts/postinstall.js executes dist CLI repair --auto --scope all during install
- dist/cli/commands/repair.js scans ~/.claude and project .claude/settings*.json under $HOME and can rewrite existing claude-recall hook commands with backups
- dist/cli/claude-recall-cli.js explicit setup --install writes .claude/hooks/search_enforcer.py, .claude/skills, and replaces settings.hooks
- hooks/llm-classifier.js sends classified user/session text to Anthropic SDK when ANTHROPIC_API_KEY is present
- postinstall comments and code do not auto-run setup --install or add MCP servers
- repair only proposes fixes for commands classified as claude-recall hooks with missing absolute script paths
- repair writes backups before changing settings files
- search_enforcer.py is a local gating hook; no network or credential harvesting seen
- runtime npm install/npm view is confined to explicit claude-recall upgrade command
- database-adapter dynamic require loads better-sqlite3/sql.js local dependencies, not remote code
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/memory/database-adapter.jsView on unpkg · L56Package source references dynamic require/import behavior.
dist/memory/database-adapter.jsView on unpkg · L36Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L8Package source invokes a package manager install command at runtime.
dist/services/claude-json-watcher.jsView on unpkg · L195Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/hooks/search_enforcer.pyView on unpkgPackage ships non-JavaScript build or shell helper files.
.claude/hooks/search_enforcer.pyView on unpkg