registry  /  claude-task-worker  /  0.13.0

claude-task-worker@0.13.0

CLI tool that polls GitHub Issues/PRs and delegates work to Claude CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs a worker command such as `all`, `yolo`, or an individual issue/PR worker.
Impact
Agent actions can modify the current repository and GitHub state; optional webhook notifications receive task output.
Mechanism
GitHub-triggered Claude CLI execution with `--dangerously-skip-permissions`, worktree management, and optional Slack notifications.
Rationale
The source confirms risky privileged AI-agent automation and explicit plugin lifecycle actions, but no lifecycle hook, stealth persistence, remote payload chain, or unconsented credential exfiltration. Warn rather than block.
Evidence
package.jsondist/index.jsREADME.mdclaude-task-worker.json.claude/.credentials.json/tmp/claude-usage-cache.json.claude/worktrees.github/ISSUE_TEMPLATE/cc-triage-scope.yml.github/workflows/assign-creator-on-cc-triage-scope.yml
Network endpoints1
api.anthropic.com/api/oauth/usage

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` launches Claude with `--dangerously-skip-permissions` for GitHub issue/PR-triggered tasks.
  • `dist/index.js` polls GitHub via `gh`, creates worktrees, and runs agent actions against the current repository.
  • `dist/index.js` reads Claude OAuth credentials and sends them only to Anthropic's usage endpoint.
  • `dist/index.js` can forward up to 1,000 characters of agent output to an optional Slack webhook.
  • Explicit `install`/`update` commands add and update a Claude plugin marketplace.
Evidence against
  • `package.json` has only `prepublishOnly`; installation does not execute package code.
  • CLI dispatch in `dist/index.js` requires an explicit command; agent and plugin setup are user-invoked.
  • No hidden payload, eval/vm execution, obfuscated strings, or non-package-aligned exfiltration endpoint was found.
  • Credential use is limited to an authenticated usage request to `api.anthropic.com`; the token is not included in Slack payloads.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 90.1 KB of source, external domains: api.anthropic.com, github.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
168"use strict"; L169: childProcess = createRequire(import.meta.url)("node:child_process"); L170: HerdrUnavailableError = class extends Error {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L168
1414import { promisify as promisify2 } from "node:util"; L1415: var execAsync = promisify2(exec); L1416: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL;
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1414
1409// src/slack.ts L1410: import { exec } from "node:child_process"; L1411: import { readFileSync as readFileSync2, writeFileSync } from "node:fs"; ... L1415: var execAsync = promisify2(exec); L1416: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL; L1417: var USAGE_CACHE_PATH = "/tmp/claude-usage-cache.json"; ... L1421: try { L1422: await fetch(WEBHOOK_URL, { L1423: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1409
1421try { L1422: await fetch(WEBHOOK_URL, { L1423: method: "POST", L1424: headers: { "Content-Type": "application/json" }, L1425: body: JSON.stringify(payload) L1426: }); ... L1436: try { L1437: const { stdout } = await execAsync('security find-generic-password -s "Claude Code-credentials" -w'); L1438: return extractToken(JSON.parse(stdout.trim()));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1421

Findings

4 High2 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings