registry  /  forgedock  /  1.3.0

forgedock@1.3.0

Autonomous dev pipeline for Claude Code. GitHub as institutional memory — every issue, PR, and annotation survives context resets and makes the next agent smarter.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can install ForgeDock-owned Claude Code hooks and command links after the user invokes its install/onboarding flow. Those hooks persist in the user's Claude Code configuration and can constrain later agent tool use.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `forgedock`/`forgedock install` or its onboarding flow.
Impact
Persistent package-controlled behavior in Claude Code sessions, including blocking selected Bash actions.
Mechanism
Registers Claude Code hooks, links commands, and persists a package-owned toolset.
Rationale
Source inspection does not support a malicious verdict: there is no npm lifecycle execution, credential harvesting, covert exfiltration, or remote payload execution. The explicit global Claude Code hook setup is nevertheless a meaningful lifecycle/control-surface risk under the firewall policy.
Evidence
package.jsonbin/journey.mjsbin/settings-hook.mjsbin/hooks/session-start.mjsbin/hooks/pre-tool-use.mjsbin/forgedock.mjsbin/init-enrich-api.mjs~/.claude/settings.json~/.claude/commands/~/.claude/scripts/~/.forge/
Network endpoints2
registry.npmjs.org/forgedock/latestapi.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/journey.mjs` registers SessionStart, PreToolUse, and SubagentStop hooks in `~/.claude/settings.json` during the user-invoked forge/install flow.
  • `bin/hooks/pre-tool-use.mjs` intercepts Claude Code Bash tool calls and can block PR, label, git, gist, filesystem, and attribution actions.
  • `bin/journey.mjs` copies the package payload into `~/.forge/` and links commands/scripts into `~/.claude/`.
  • `bin/forgedock.mjs` can self-update a global install only when the user runs its update command.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • Hook installation is performed by the executable's explicit install/onboarding path, not npm installation.
  • `bin/settings-hook.mjs` preserves unrelated settings and refuses malformed JSON rather than overwriting it.
  • Observed network calls are package-aligned: npm version lookup and optional BYO-key Anthropic enrichment.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 55 file(s), 1009 KB of source, external domains: acme.io, api.acme.io, api.anthropic.com, api.example.com, api.github.com, claude.com, cli.github.com, dev.to, docs.anthropic.com, forgedock.com, git-scm.com, gitforwindows.org, github.com, gql.hashnode.com, umami.acme.io

Source & flagged code

10 flagged · loading source
bin/init-detect.mjsView file
22* - Safe: every try/catch degrades to "low" confidence defaults, never throws L23: * - Isolated: imports only Node builtins (child_process, path) L24: * - Testable: inject `cwd` to point at a fixture repo and assert the draft
High
Child Process

Package source references child process execution.

bin/init-detect.mjsView on unpkg · L22
bin/init-enrich-cli.mjsView file
11* L12: * SECURITY — argv array, NEVER `shell: true`: the enrichment prompt embeds L13: * the full ConfigDraft JSON as a single, unparsed argv element passed to
High
Shell

Package source references shell execution.

bin/init-enrich-cli.mjsView on unpkg · L11
examples/forgedock-demo/src/db.jsView file
36// eslint-disable-next-line no-new-func L37: const predicate = new Function('row', `with (row) { return (${whereClause}); }`); L38: return notes.filter((row) => {
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/forgedock-demo/src/db.jsView on unpkg · L36
bin/hooks/pre-tool-use.mjsView file
5import { fileURLToPath, pathToFileURL } from "url"; L6: const _require = createRequire(import.meta.url); L7:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/hooks/pre-tool-use.mjsView on unpkg · L5
bin/forgedock.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = forgedock@1.1.11 matchedIdentity = npm:Zm9yZ2Vkb2Nr:1.1.11 similarity = 0.725 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/forgedock.mjsView on unpkg
1482* (forge#2133) to decide whether a newer published version can be installed L1483: * in place with `npm install -g forgedock@latest`, versus the npx-cache case L1484: * where there is nothing durable to reinstall over. ... L1494: try { L1495: const globalRoot = execSync("npm root -g", { L1496: encoding: "utf-8",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/forgedock.mjsView on unpkg · L1482
15} from "fs"; L16: import { execSync, execFileSync, spawnSync } from "child_process"; L17: import { homedir } from "os"; L18: import https from "https"; L19: import { ... L85: const __filename = fileURLToPath(import.meta.url); L86: const __dirname = dirname(__filename); L87: ... L148: // os.homedir() as the always-available fallback (no hard exit — see #744). L149: const HOME = process.env.HOME || process.env.USERPROFILE || homedir(); L150: ... L252: * Strip JSONC syntax (single-line comments, block comments, trailing commas)
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/forgedock.mjsView on unpkg · L15
examples/forgedock-demo/bootstrap.shView file
path = examples/forgedock-demo/bootstrap.sh kind = build_helper sizeBytes = 4902 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/forgedock-demo/bootstrap.shView on unpkg
docs/CONFIG.mdView file
470patternName = generic_password severity = medium line = 470 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in docs/CONFIG.md

docs/CONFIG.mdView on unpkg · L470
479patternName = generic_password severity = medium line = 479 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in docs/CONFIG.md

docs/CONFIG.mdView on unpkg · L479

Findings

1 Critical3 High8 Medium6 Low
CriticalPrevious Version Dangerous Deltabin/forgedock.mjs
HighChild Processbin/init-detect.mjs
HighShellbin/init-enrich-cli.mjs
HighRuntime Package Installbin/forgedock.mjs
MediumDynamic Requirebin/hooks/pre-tool-use.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/forgedock.mjs
MediumShips Build Helperexamples/forgedock-demo/bootstrap.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/CONFIG.md
MediumSecret Patterndocs/CONFIG.md
LowScripts Present
LowEvalexamples/forgedock-demo/src/db.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License