registry  /  claude-task-worker  /  0.1.1

claude-task-worker@0.1.1

CLI tool that polls GitHub Issues/PRs and delegates work to Claude CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package provides an explicit automation CLI that can install its own Claude plugin and later run Claude Code with skipped permissions on GitHub-selected tasks.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `claude-task-worker install`, `update`, `usage`, or worker commands such as `all`/`yolo`.
Impact
Dangerous if misconfigured or used on untrusted GitHub issues because spawned Claude tasks run with skipped permissions and optional Slack notifications include task output.
Mechanism
Explicit user-command Claude plugin setup and GitHub/Claude task automation
Rationale
Source inspection shows a package-aligned but high-capability Claude/GitHub automation tool, with first-party plugin installation only via explicit CLI commands and no npm install-time mutation. The skipped-permissions Claude execution and credential-backed usage lookup warrant warning, but no concrete stealth, exfiltration, persistence, or lifecycle hijack was found.
Evidence
package.jsonREADME.mddist/index.jsclaude-task-worker.json.github/ISSUE_TEMPLATE/cc-triage-scope.yml.github/workflows/assign-creator-on-cc-triage-scope.yml.claude/worktrees/tmp/claude-usage-cache.json~/.claude/.credentials.json
Network endpoints5
api.anthropic.com/api/oauth/usagegithub.com/${owner}/${name}/issues/${issue.number}github.com/${owner}/${name}/pull/${pr.number}getty104/claude-task-workerCLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js defines explicit install/update commands that run `claude plugin marketplace add/update` and `claude plugin install/update` for getty104/claude-task-worker.
  • dist/index.js worker paths spawn `claude -p ... --dangerously-skip-permissions` for GitHub issue/PR-triggered tasks.
  • dist/index.js reads Claude credentials from macOS keychain or `~/.claude/.credentials.json` to call Anthropic usage API.
  • dist/index.js can send task output and usage summaries to `CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL`.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build.
  • Agent/plugin mutation is only under explicit CLI commands `install` or `update`, not import-time or install-time.
  • Network and GitHub CLI activity matches the documented GitHub/Claude worker purpose in README.md.
  • Slack exfiltration path requires a user-provided webhook environment variable.
  • Worktree deletion is bounded to `.claude/worktrees` by path checks.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 61.1 KB of source, external domains: api.anthropic.com, github.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
3// src/gh.ts L4: import { execFile } from "node:child_process"; L5: function execGh(args) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3
944import { promisify as promisify2 } from "node:util"; L945: var execAsync = promisify2(exec); L946: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL;
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L944
939// src/slack.ts L940: import { exec } from "node:child_process"; L941: import { readFileSync as readFileSync2, writeFileSync } from "node:fs"; ... L945: var execAsync = promisify2(exec); L946: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL; L947: var USAGE_CACHE_PATH = "/tmp/claude-usage-cache.json"; ... L951: try { L952: await fetch(WEBHOOK_URL, { L953: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L939
951try { L952: await fetch(WEBHOOK_URL, { L953: method: "POST", L954: headers: { "Content-Type": "application/json" }, L955: body: JSON.stringify(payload) L956: }); ... L966: try { L967: const { stdout } = await execAsync('security find-generic-password -s "Claude Code-credentials" -w'); L968: return extractToken(JSON.parse(stdout.trim()));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L951

Findings

4 High2 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings