AI Security Review
scanned 6h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is present. At started worker/chat runtime, the package launches the external Claude CLI with bypassed permissions and can materialize or auto-fix Claude skill files after detected failures.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User starts the service or enables its webhook/worker integrations; skill-fix actions follow runtime detection.
Impact
A compromised or unsafe model/prompt/workspace can cause unreviewed commands and writes within its configured workspace and forge credentials.
Mechanism
High-privilege external AI-agent execution with automated skill-file mutation and optional forge writes.
Rationale
No evidence establishes malicious npm-package behavior, but the package exposes a high-privilege automated AI-agent and skill-mutation lifecycle that merits a warning rather than clean classification.
Evidence
package.jsonbin/claude-teammate.jssrc/claude/process.jssrc/agentcore/chat-cli.jssrc/agentcore/materialize.jssrc/skills/index.jssrc/skills/fixer.js.claude/skills/~/.claude/skills/
Network endpoints2
api.github.comgitlab.com/
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/claude/process.js` defaults Claude CLI to `bypassPermissions`.
- `src/agentcore/chat-cli.js` invokes Claude with that mode for chat requests.
- `src/agentcore/materialize.js` writes approved content into workspace `.claude/skills/`.
- `src/skills/index.js` auto-starts fixes after detected skill failures.
- `src/skills/fixer.js` writes skill patches and can use git branches/PRs.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `bin/claude-teammate.js` only dispatches explicit CLI commands.
- Network clients target configured Jira/forge/chat integrations, not a hidden collector.
- No eval/vm/native payload loader or covert credential-exfiltration path was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/skills/fixer.jsView file
1import { execFile } from "node:child_process";
L2: import { createHash, randomBytes } from "node:crypto";
...
L271: */
L272: export function sk[redacted](env = process.env) {
L273: return Boolean(String(env.DATABASE_URL || "").trim());
...
L659: try {
L660: const { stdout } = await execFileAsync("git", ["remote", "get-url", "origin"], {
L661: cwd: projectRoot,
...
L923: "curl",
L924: ["-sf", "--max-time", "30", "-H", `PRIVATE-TOKEN: ${token}`, url],
L925: { encoding: "utf8", timeout: 35000 }
L926: );
Low
Weak Crypto
Package source references weak cryptographic algorithms.
src/skills/fixer.jsView on unpkg · L1src/scheduler/nl/parse.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = claude-teammate@0.1.322
matchedIdentity = npm:Y2xhdWRlLXRlYW1tYXRl:0.1.322
similarity = 0.966
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/scheduler/nl/parse.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltasrc/scheduler/nl/parse.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/skills/fixer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings