AI Security Review
scanned 8h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is present. On explicit CLI startup, the package changes the user-level Claude Code MCP configuration to add or replace Playwright, which executes `npx @playwright/mcp@latest` when Claude uses that MCP. Runtime automation also uses Claude CLI with bypassed permissions.
Static reason
No blocking static signals were detected.
Trigger
User runs `claude-teammate start` or `claude-teammate zalo`.
Impact
Persists a first-party automation extension in the user's Claude Code configuration and permits broad downstream agent actions.
Mechanism
Explicit-user-command Claude MCP registration and privileged agent orchestration.
Rationale
No concrete malicious behavior was found, but explicit commands automatically mutate the user-level Claude MCP configuration and enable a remote `npx` MCP command. Per policy, this is a non-blocking extension lifecycle risk rather than clean or malicious.
Evidence
package.jsonbin/claude-teammate.jssrc/commands/start.jssrc/commands/zalo.jssrc/claude/mcp.jssrc/claude/process.jssrc/cli.js~/.claude.json.tm8/.env
Network endpoints5
api.github.comapi.github.com/graphqlchat.googleapis.com/v1oauth2.googleapis.com/tokenbot-api.zaloplatforms.com
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/commands/start.js` automatically invokes Playwright MCP setup after explicit `start`.
- `src/claude/mcp.js` removes/replaces user-scope `playwright` config and adds `npx @playwright/mcp@latest --headless`.
- `src/claude/process.js` defaults Claude invocations to `bypassPermissions`.
- `src/commands/zalo.js` registers a package-owned Zalo MCP server on explicit `zalo` startup.
Evidence against
- `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
- `bin/claude-teammate.js` only dispatches explicit CLI arguments to `src/cli.js`.
- Credentialed network calls target configured Jira/forge services and named GitHub, Google Chat, and Zalo APIs; no covert endpoint found.
- No credential harvesting, obfuscated payload, eval/vm execution, or import-time persistence found in inspected paths.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/skills/fixer.jsView file
1import { execFile } from "node:child_process";
L2: import { createHash, randomBytes } from "node:crypto";
...
L271: */
L272: export function sk[redacted](env = process.env) {
L273: return Boolean(String(env.DATABASE_URL || "").trim());
...
L659: try {
L660: const { stdout } = await execFileAsync("git", ["remote", "get-url", "origin"], {
L661: cwd: projectRoot,
...
L923: "curl",
L924: ["-sf", "--max-time", "30", "-H", `PRIVATE-TOKEN: ${token}`, url],
L925: { encoding: "utf8", timeout: 35000 }
L926: );
Low
Weak Crypto
Package source references weak cryptographic algorithms.
src/skills/fixer.jsView on unpkg · L1Findings
2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/skills/fixer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings