AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package is a powerful GitHub/Claude automation CLI with explicit first-party Claude plugin setup and optional Slack notifications.
Decision evidence
public snapshot- dist/index.js exposes explicit install/update commands that run `claude plugin marketplace add/update`, `claude plugin install/update`, and `npm install -g`.
- dist/index.js worker commands spawn `claude -p ... --dangerously-skip-permissions` based on GitHub issue/PR labels.
- dist/index.js can send task output to a Slack webhook from `CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL`.
- dist/index.js `usage` reads Claude credentials and calls `https://api.anthropic.com/api/oauth/usage`.
- package.json has no preinstall/install/postinstall hook; only `prepublishOnly`.
- Agent/plugin mutation is behind explicit `claude-task-worker install` or `update` commands and is first-party named.
- Child process use is package-aligned: `gh`, `git`, `claude`, and `npm` for documented automation workflows.
- No eval/vm/Function, obfuscated payload, native binary loading, or hidden import-time execution found.
- Slack network egress requires an explicit webhook environment variable.
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L955Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L967