registry  /  claude-task-worker  /  0.3.0

claude-task-worker@0.3.0

CLI tool that polls GitHub Issues/PRs and delegates work to Claude CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package has explicit user-invoked agent extension setup and broad automation capabilities that can run Claude against GitHub-triggered tasks.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs CLI commands such as `install`, `update`, `init`, `usage`, a worker, `all`, or `yolo`.
Impact
Can install/update a Claude plugin, globally install this CLI, write project setup files, run git/gh/claude, and send task/usage notifications when configured.
Mechanism
GitHub/Claude automation CLI with explicit plugin lifecycle commands
Rationale
Source inspection shows risky but package-aligned automation and explicit Claude plugin lifecycle management, not unconsented install-time control-surface mutation or concrete exfiltration. Warn is appropriate for first-party agent extension lifecycle risk and dangerous automation scope.
Evidence
package.jsondist/index.jsREADME.mdclaude-task-worker.json.github/ISSUE_TEMPLATE/cc-triage-scope.yml.github/workflows/assign-creator-on-cc-triage-scope.yml.claude/worktrees/tmp/claude-usage-cache.json
Network endpoints3
api.anthropic.com/api/oauth/usagegithub.com/getty104/claude-task-workerhooks.slack.com/services/xxx/yyy/zzz

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js install/update explicitly run `claude plugin marketplace/install/update` and `npm install -g claude-task-worker@latest`.
  • dist/index.js workers spawn `claude -p ... --dangerously-skip-permissions` from GitHub issue/PR labels.
  • dist/index.js reads Claude credentials for `usage` and calls Anthropic usage API; task output may be sent to configured Slack webhook.
  • dist/index.js `init` writes repo config, issue template, and GitHub workflow files.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
  • Agent/plugin setup is only under explicit `install`/`update` user commands, not install-time mutation.
  • README documents the Claude plugin install/update behavior, worker labels, Slack webhook, and generated files.
  • Child process and GitHub operations are core package functionality for a GitHub/Claude task worker; no hidden payload, obfuscation, or hardcoded exfil endpoint found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 62.6 KB of source, external domains: api.anthropic.com, github.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
3// src/gh.ts L4: import { execFile } from "node:child_process"; L5: function execGh(args) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3
960import { promisify as promisify2 } from "node:util"; L961: var execAsync = promisify2(exec); L962: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL;
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L960
955// src/slack.ts L956: import { exec } from "node:child_process"; L957: import { readFileSync as readFileSync2, writeFileSync } from "node:fs"; ... L961: var execAsync = promisify2(exec); L962: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL; L963: var USAGE_CACHE_PATH = "/tmp/claude-usage-cache.json"; ... L967: try { L968: await fetch(WEBHOOK_URL, { L969: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L955
967try { L968: await fetch(WEBHOOK_URL, { L969: method: "POST", L970: headers: { "Content-Type": "application/json" }, L971: body: JSON.stringify(payload) L972: }); ... L982: try { L983: const { stdout } = await execAsync('security find-generic-password -s "Claude Code-credentials" -w'); L984: return extractToken(JSON.parse(stdout.trim()));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L967

Findings

4 High2 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings