registry  /  claude-task-worker  /  0.1.0

claude-task-worker@0.1.0

CLI tool that polls GitHub Issues/PRs and delegates work to Claude CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface, but the package has user-invoked AI-agent extension lifecycle risk. It installs/updates its Claude Code plugin and runs Claude with broad permissions as part of documented GitHub automation.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs claude-task-worker install/update or worker commands
Impact
Could grant the package-owned Claude plugin and worker commands broad ability to act on the user's repo when invoked
Mechanism
explicit CLI-driven Claude plugin setup and GitHub/Claude task execution
Rationale
The risky primitives are package-aligned and explicit user commands, with no npm install-time mutation or hidden exfiltration. Per policy this is a warning-level first-party agent extension lifecycle risk, not a publish block.
Evidence
package.jsondist/index.jsdist/slack.jsdist/usage.jsREADME.mdclaude-task-worker.json.github/ISSUE_TEMPLATE/cc-triage-scope.yml.github/workflows/assign-creator-on-cc-triage-scope.yml.claude/worktrees/tmp/claude-usage-cache.json~/.claude/.credentials.json
Network endpoints4
api.anthropic.com/api/oauth/usageCLAUDE_TASK_WORKER_SLACK_WEBHOOK_URLgithub.com/${owner}/${name}/issues/${issue.number}github.com/${owner}/${name}/pull/${pr.number}

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js install/update explicit commands mutate Claude plugin marketplace and install/update claude-task-worker plugin.
  • dist/index.js worker commands spawn claude with --dangerously-skip-permissions for GitHub issue/PR automation.
  • dist/index.js usage command reads Claude credentials and calls https://api.anthropic.com/api/oauth/usage.
  • dist/index.js can send task status and failed command output to user-provided Slack webhook env URL.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
  • README.md documents Claude Code/GitHub automation, install/update, Slack webhook, and init behavior.
  • dist/index.js plugin setup is activated only by user CLI commands install/update, not npm lifecycle.
  • dist/index.js GitHub and Claude invocations are core package functionality, not hidden import-time behavior.
  • No obfuscation, eval/vm, binary loading, or hardcoded exfiltration endpoint found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 103 KB of source, external domains: api.anthropic.com, github.com

Source & flagged code

4 flagged · loading source
dist/gh.jsView file
1import { execFile } from "node:child_process"; L2: function execGh(args) {
High
Child Process

Package source references child process execution.

dist/gh.jsView on unpkg · L1
dist/index.jsView file
944import { promisify as promisify2 } from "node:util"; L945: var execAsync = promisify2(exec); L946: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL;
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L944
939// src/slack.ts L940: import { exec } from "node:child_process"; L941: import { readFileSync as readFileSync2, writeFileSync } from "node:fs"; ... L945: var execAsync = promisify2(exec); L946: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL; L947: var USAGE_CACHE_PATH = "/tmp/claude-usage-cache.json"; ... L951: try { L952: await fetch(WEBHOOK_URL, { L953: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L939
951try { L952: await fetch(WEBHOOK_URL, { L953: method: "POST", L954: headers: { "Content-Type": "application/json" }, L955: body: JSON.stringify(payload) L956: }); ... L966: try { L967: const { stdout } = await execAsync('security find-generic-password -s "Claude Code-credentials" -w'); L968: return extractToken(JSON.parse(stdout.trim()));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L951

Findings

4 High2 Medium5 Low
HighChild Processdist/gh.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings