registry  /  claude-task-worker  /  0.12.0

claude-task-worker@0.12.0

CLI tool that polls GitHub Issues/PRs and delegates work to Claude CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs a worker command against a repository, or explicitly runs `install`/`usage`.
Impact
A collaborator able to apply trigger labels may cause broad agent actions in the checked-out repository.
Mechanism
GitHub-driven autonomous Claude CLI execution with disabled permission prompts.
Rationale
Source inspection finds no concrete malware or unconsented lifecycle mutation. The deliberate permission-bypassing autonomous agent workflow is a material dangerous capability requiring a warning.
Evidence
package.jsondist/index.jsREADME.mdclaude-task-worker.json.claude/worktrees.github/ISSUE_TEMPLATE/cc-triage-scope.yml.github/workflows/assign-creator-on-cc-triage-scope.yml~/.claude/.credentials.json/tmp/claude-usage-cache.json
Network endpoints1
api.anthropic.com/api/oauth/usage

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` launches Claude with `--dangerously-skip-permissions` for labeled GitHub issues.
  • `dist/index.js` polls GitHub and turns issue numbers into Claude task prompts.
  • Explicit `install` adds and installs a Claude Code marketplace plugin.
  • `usage` reads Claude credentials and sends them only to Anthropic's usage API.
Evidence against
  • `package.json` has only `prepublishOnly`; installation does not execute package code.
  • No obfuscated payload, dynamic code evaluation, or hidden downloader was found.
  • Credential-derived token is used as Bearer auth only for Anthropic usage retrieval.
  • Slack requests use the user-provided webhook environment variable.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 89.0 KB of source, external domains: api.anthropic.com, github.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
168"use strict"; L169: childProcess = createRequire(import.meta.url)("node:child_process"); L170: HerdrUnavailableError = class extends Error {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L168
1388import { promisify as promisify2 } from "node:util"; L1389: var execAsync = promisify2(exec); L1390: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL;
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1388
1383// src/slack.ts L1384: import { exec } from "node:child_process"; L1385: import { readFileSync as readFileSync2, writeFileSync } from "node:fs"; ... L1389: var execAsync = promisify2(exec); L1390: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL; L1391: var USAGE_CACHE_PATH = "/tmp/claude-usage-cache.json"; ... L1395: try { L1396: await fetch(WEBHOOK_URL, { L1397: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1383
1395try { L1396: await fetch(WEBHOOK_URL, { L1397: method: "POST", L1398: headers: { "Content-Type": "application/json" }, L1399: body: JSON.stringify(payload) L1400: }); ... L1410: try { L1411: const { stdout } = await execAsync('security find-generic-password -s "Claude Code-credentials" -w'); L1412: return extractToken(JSON.parse(stdout.trim()));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1395

Findings

4 High2 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings