registry  /  claude-teammate  /  0.1.322

claude-teammate@0.1.322

CLI bootstrapper for Claude Teammate.

AI Security Review

scanned 8h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is present. On explicit CLI startup, the package changes the user-level Claude Code MCP configuration to add or replace Playwright, which executes `npx @playwright/mcp@latest` when Claude uses that MCP. Runtime automation also uses Claude CLI with bypassed permissions.

Static reason
No blocking static signals were detected.
Trigger
User runs `claude-teammate start` or `claude-teammate zalo`.
Impact
Persists a first-party automation extension in the user's Claude Code configuration and permits broad downstream agent actions.
Mechanism
Explicit-user-command Claude MCP registration and privileged agent orchestration.
Rationale
No concrete malicious behavior was found, but explicit commands automatically mutate the user-level Claude MCP configuration and enable a remote `npx` MCP command. Per policy, this is a non-blocking extension lifecycle risk rather than clean or malicious.
Evidence
package.jsonbin/claude-teammate.jssrc/commands/start.jssrc/commands/zalo.jssrc/claude/mcp.jssrc/claude/process.jssrc/cli.js~/.claude.json.tm8/.env
Network endpoints5
api.github.comapi.github.com/graphqlchat.googleapis.com/v1oauth2.googleapis.com/tokenbot-api.zaloplatforms.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/commands/start.js` automatically invokes Playwright MCP setup after explicit `start`.
  • `src/claude/mcp.js` removes/replaces user-scope `playwright` config and adds `npx @playwright/mcp@latest --headless`.
  • `src/claude/process.js` defaults Claude invocations to `bypassPermissions`.
  • `src/commands/zalo.js` registers a package-owned Zalo MCP server on explicit `zalo` startup.
Evidence against
  • `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
  • `bin/claude-teammate.js` only dispatches explicit CLI arguments to `src/cli.js`.
  • Credentialed network calls target configured Jira/forge services and named GitHub, Google Chat, and Zalo APIs; no covert endpoint found.
  • No credential harvesting, obfuscated payload, eval/vm execution, or import-time persistence found in inspected paths.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 117 file(s), 933 KB of source, external domains: accounts.google.com, api.github.com, bot-api.zaloplatforms.com, bot.ignify.co, chat.googleapis.com, fonts.googleapis.com, fonts.gstatic.com, github.com, gitlab.com, media.tenor.com, media1.tenor.com, oauth2.googleapis.com, www.googleapis.com, yourorg.atlassian.net

Source & flagged code

1 flagged · loading source
src/skills/fixer.jsView file
1import { execFile } from "node:child_process"; L2: import { createHash, randomBytes } from "node:crypto"; ... L271: */ L272: export function sk[redacted](env = process.env) { L273: return Boolean(String(env.DATABASE_URL || "").trim()); ... L659: try { L660: const { stdout } = await execFileAsync("git", ["remote", "get-url", "origin"], { L661: cwd: projectRoot, ... L923: "curl", L924: ["-sf", "--max-time", "30", "-H", `PRIVATE-TOKEN: ${token}`, url], L925: { encoding: "utf8", timeout: 35000 } L926: );
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/skills/fixer.jsView on unpkg · L1

Findings

2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/skills/fixer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings