registry  /  claude-task-worker  /  0.2.0

claude-task-worker@0.2.0

CLI tool that polls GitHub Issues/PRs and delegates work to Claude CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package is a powerful GitHub/Claude automation CLI with explicit first-party Claude plugin setup and optional Slack notifications.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs CLI commands such as `install`, `update`, `usage`, or worker modes.
Impact
Can install/update a Claude plugin, run Claude with skipped permissions on labeled GitHub work, mutate repo labels/worktrees/files, and optionally send task output to Slack.
Mechanism
Explicit agent extension setup and user-invoked AI task automation
Rationale
Source inspection supports a warning for explicit agent extension lifecycle and dangerous automation capability, not a publish block: the risky actions are user-invoked and documented, with no hidden lifecycle execution or concrete credential exfiltration chain.
Evidence
package.jsondist/index.jsREADME.mdclaude-task-worker.json.github/ISSUE_TEMPLATE/cc-triage-scope.yml.github/workflows/assign-creator-on-cc-triage-scope.yml.claude/worktrees/*/tmp/claude-usage-cache.json~/.claude/.credentials.json
Network endpoints3
api.anthropic.com/api/oauth/usagegithub.com/getty104/claude-task-workerSlack webhook from CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js exposes explicit install/update commands that run `claude plugin marketplace add/update`, `claude plugin install/update`, and `npm install -g`.
  • dist/index.js worker commands spawn `claude -p ... --dangerously-skip-permissions` based on GitHub issue/PR labels.
  • dist/index.js can send task output to a Slack webhook from `CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL`.
  • dist/index.js `usage` reads Claude credentials and calls `https://api.anthropic.com/api/oauth/usage`.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only `prepublishOnly`.
  • Agent/plugin mutation is behind explicit `claude-task-worker install` or `update` commands and is first-party named.
  • Child process use is package-aligned: `gh`, `git`, `claude`, and `npm` for documented automation workflows.
  • No eval/vm/Function, obfuscated payload, native binary loading, or hidden import-time execution found.
  • Slack network egress requires an explicit webhook environment variable.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 61.8 KB of source, external domains: api.anthropic.com, github.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
3// src/gh.ts L4: import { execFile } from "node:child_process"; L5: function execGh(args) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3
960import { promisify as promisify2 } from "node:util"; L961: var execAsync = promisify2(exec); L962: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL;
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L960
955// src/slack.ts L956: import { exec } from "node:child_process"; L957: import { readFileSync as readFileSync2, writeFileSync } from "node:fs"; ... L961: var execAsync = promisify2(exec); L962: var WEBHOOK_URL = process.env.CLAUDE_TASK_WORKER_SLACK_WEBHOOK_URL; L963: var USAGE_CACHE_PATH = "/tmp/claude-usage-cache.json"; ... L967: try { L968: await fetch(WEBHOOK_URL, { L969: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L955
967try { L968: await fetch(WEBHOOK_URL, { L969: method: "POST", L970: headers: { "Content-Type": "application/json" }, L971: body: JSON.stringify(payload) L972: }); ... L982: try { L983: const { stdout } = await execAsync('security find-generic-password -s "Claude Code-credentials" -w'); L984: return extractToken(JSON.parse(stdout.trim()));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L967

Findings

4 High2 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings