AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package has explicit user-invoked agent extension setup and broad automation capabilities that can run Claude against GitHub-triggered tasks.
Decision evidence
public snapshot- dist/index.js install/update explicitly run `claude plugin marketplace/install/update` and `npm install -g claude-task-worker@latest`.
- dist/index.js workers spawn `claude -p ... --dangerously-skip-permissions` from GitHub issue/PR labels.
- dist/index.js reads Claude credentials for `usage` and calls Anthropic usage API; task output may be sent to configured Slack webhook.
- dist/index.js `init` writes repo config, issue template, and GitHub workflow files.
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
- Agent/plugin setup is only under explicit `install`/`update` user commands, not install-time mutation.
- README documents the Claude plugin install/update behavior, worker labels, Slack webhook, and generated files.
- Child process and GitHub operations are core package functionality for a GitHub/Claude task worker; no hidden payload, obfuscation, or hardcoded exfil endpoint found.
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L955Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L967