registry  /  code-brain  /  0.9.0

code-brain@0.9.0

Turn any codebase into searchable knowledge for Claude Code. LLM Wiki + AST Index + MCP Server.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs unconsented install-time mutation of Claude Code control files in the installing project. It persists package-owned hooks that inject agent context and run npx code-brain on Claude sessions/tool use.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall on package install or upgrade
Impact
Alters Claude Code behavior for the project without an explicit user command, steering agent tool choice and executing package CLI hooks in future sessions.
Mechanism
postinstall AI-agent control surface mutation
Policy narrative
Installing code-brain runs scripts/postinstall.cjs, which locates the consumer project root and writes Claude Code skill/instruction files plus .claude/settings.json hooks. Those hooks later execute npx code-brain session-start and pre-tool-nudge to inject context into Claude sessions and Grep tool use. The behavior is package-aligned and documented, but it is still unconsented postinstall mutation of a broad AI-agent control surface.
Rationale
Source inspection confirms concrete install-time writes into Claude Code control files, including persistent hooks that affect later agent behavior. Under the provided policy, unconsented npm postinstall mutation of a foreign/broad AI-agent control surface is blocking even without exfiltration. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/postinstall.cjsdist/hooks/adoption-hooks.jsskill/SKILL.mdbin/code-brain.jsdist/db/better-sqlite-driver.js.claude/skills/code-brain/SKILL.mdCLAUDE.md.claude/settings.json

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.cjs || true
  • scripts/postinstall.cjs writes .claude/skills/code-brain/SKILL.md during install
  • scripts/postinstall.cjs creates/appends CLAUDE.md with code-brain instructions
  • scripts/postinstall.cjs mutates .claude/settings.json hooks to run npx code-brain session-start and pre-tool-nudge
  • dist/hooks/adoption-hooks.js injects SessionStart and PreToolUse context steering Claude tool choice
Evidence against
  • README.md openly documents the auto-wired Claude hooks
  • Hook commands are package-aligned and call local code-brain CLI behavior
  • No credential harvesting or exfiltration endpoints found in inspected files
  • Dynamic require in dist/db/better-sqlite-driver.js only loads optional better-sqlite3
  • Shell use is limited to user-invoked CLI features such as graph opener and git helpers
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 48 file(s), 236 KB of source, external domains: github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/db/better-sqlite-driver.jsView file
4import path from "node:path"; L5: const require = createRequire(import.meta.url); L6: /** Soft warning threshold — log when DB exceeds this */
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/db/better-sqlite-driver.jsView on unpkg · L4
scripts/postinstall.cjsView file
4Install-time AI-agent control hijack evidence: L4: * 1. Install/UPGRADE the skill (version-stamped; refreshes on new versions) L5: * 2. Refresh the code-brain block in CLAUDE.md (version-stamped, marker-bounded) L6: * 3. Wire the deterministic adoption hooks into .claude/settings.json L7: * (SessionStart banner + PreToolUse Grep nudge) — merged, never clobbering ... L33: const src = path.join(pkgDir, "skill", "SKILL.md"); L34: const dest = path.join(projectRoot, ".claude", "skills", "code-brain", "SKILL.md"); L35: if (!fs.existsSync(src)) { console.log(" ⚠️ skill/SKILL.md missing in package"); return; } L36: L37: fs.mkdirSync(path.dirname(dest), { recursive: true }); L38: const srcBody = fs.readFileSync(src, "utf-8"); ... L40: if (!fs.existsSync(dest)) { L41: fs.writeFileSync(dest, srcBody); Payload evidence from skill/SKILL.md: L90: code_brain_recent_activity(module="auth", failures_only=true) L91: → ❌ [Apr 7] Tried WebSocket approach → too complex L92: ``` ... L168: Use when: finished editing, before commit. Catches regressions. L169: Exit code 1 if breaking changes found — safe to use in CI. L170: ... L217: domain: "backend/schedule", L218: body: "Finding: ...\nEvidence:…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.cjsView on unpkg · L4
16Manifest entrypoint (scripts.postinstall) carries capability families absent from dist/build output: environment+network L16: L17: const pkgDir = path.resolve(__dirname, ".."); L18: const projectRoot = findProjectRoot(pkgDir); ... L96: if (fs.existsSync(settingsPath)) { L97: try { settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8")); } L98: catch { console.log(" ⚠️ .claude/settings.json is not valid JSON — skipping hook wiring"); return; } ... L126: L127: This project is indexed by [code-brain](https://github.com/kitara2005/code-brain). Prefer its MCP tools over blind Glob/Grep/Read. L128: ... L156: function readPkgVersion(dir) { L157: try { return JSON.parse(fs.readFileSync(path.join(dir, "package.json"), "utf-8")).version || "0.0.0"; } L158: catch { return "0.0.0"; }
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

scripts/postinstall.cjsView on unpkg · L16

Findings

1 Critical2 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/postinstall.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/db/better-sqlite-driver.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings