registry  /  claude-teammate  /  0.1.323

claude-teammate@0.1.323

CLI bootstrapper for Claude Teammate.

AI Security Review

scanned 7h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is present. At started worker/chat runtime, the package launches the external Claude CLI with bypassed permissions and can materialize or auto-fix Claude skill files after detected failures.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User starts the service or enables its webhook/worker integrations; skill-fix actions follow runtime detection.
Impact
A compromised or unsafe model/prompt/workspace can cause unreviewed commands and writes within its configured workspace and forge credentials.
Mechanism
High-privilege external AI-agent execution with automated skill-file mutation and optional forge writes.
Rationale
No evidence establishes malicious npm-package behavior, but the package exposes a high-privilege automated AI-agent and skill-mutation lifecycle that merits a warning rather than clean classification.
Evidence
package.jsonbin/claude-teammate.jssrc/claude/process.jssrc/agentcore/chat-cli.jssrc/agentcore/materialize.jssrc/skills/index.jssrc/skills/fixer.js.claude/skills/~/.claude/skills/
Network endpoints2
api.github.comgitlab.com/

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/claude/process.js` defaults Claude CLI to `bypassPermissions`.
  • `src/agentcore/chat-cli.js` invokes Claude with that mode for chat requests.
  • `src/agentcore/materialize.js` writes approved content into workspace `.claude/skills/`.
  • `src/skills/index.js` auto-starts fixes after detected skill failures.
  • `src/skills/fixer.js` writes skill patches and can use git branches/PRs.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `bin/claude-teammate.js` only dispatches explicit CLI commands.
  • Network clients target configured Jira/forge/chat integrations, not a hidden collector.
  • No eval/vm/native payload loader or covert credential-exfiltration path was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 117 file(s), 947 KB of source, external domains: accounts.google.com, api.github.com, bot-api.zaloplatforms.com, bot.ignify.co, chat.googleapis.com, fonts.googleapis.com, fonts.gstatic.com, github.com, gitlab.com, media.tenor.com, media1.tenor.com, oauth2.googleapis.com, www.googleapis.com, yourorg.atlassian.net

Source & flagged code

2 flagged · loading source
src/skills/fixer.jsView file
1import { execFile } from "node:child_process"; L2: import { createHash, randomBytes } from "node:crypto"; ... L271: */ L272: export function sk[redacted](env = process.env) { L273: return Boolean(String(env.DATABASE_URL || "").trim()); ... L659: try { L660: const { stdout } = await execFileAsync("git", ["remote", "get-url", "origin"], { L661: cwd: projectRoot, ... L923: "curl", L924: ["-sf", "--max-time", "30", "-H", `PRIVATE-TOKEN: ${token}`, url], L925: { encoding: "utf8", timeout: 35000 } L926: );
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/skills/fixer.jsView on unpkg · L1
src/scheduler/nl/parse.jsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-teammate@0.1.322 matchedIdentity = npm:Y2xhdWRlLXRlYW1tYXRl:0.1.322 similarity = 0.966 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/scheduler/nl/parse.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltasrc/scheduler/nl/parse.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/skills/fixer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings