AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package provides an explicit automation CLI that can install its own Claude plugin and later run Claude Code with skipped permissions on GitHub-selected tasks.
Decision evidence
public snapshot- dist/index.js defines explicit install/update commands that run `claude plugin marketplace add/update` and `claude plugin install/update` for getty104/claude-task-worker.
- dist/index.js worker paths spawn `claude -p ... --dangerously-skip-permissions` for GitHub issue/PR-triggered tasks.
- dist/index.js reads Claude credentials from macOS keychain or `~/.claude/.credentials.json` to call Anthropic usage API.
- dist/index.js can send task output and usage summaries to `CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL`.
- package.json has no preinstall/install/postinstall hook; only prepublishOnly build.
- Agent/plugin mutation is only under explicit CLI commands `install` or `update`, not import-time or install-time.
- Network and GitHub CLI activity matches the documented GitHub/Claude worker purpose in README.md.
- Slack exfiltration path requires a user-provided webhook environment variable.
- Worktree deletion is bounded to `.claude/worktrees` by path checks.
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L939Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L951