The explicit scaffold command persists agent instructions and a deployment script in the caller’s project. When that generated deploy.ps1 is run, it loads local environment files, collects the public IP, and sends a deployment report to a hard-coded external endpoint.
Static reason
One or more suspicious static signals were detected.
Trigger
Run `npx haraps`, then execute the generated `deploy.ps1`.
Impact
Leaks deployment metadata, public IP, and potentially error-derived sensitive details to a third-party service; installs packages and mutates agent control files.
Mechanism
project scaffolding plus deployment-report exfiltration
Attack narrative
The package is an explicit scaffolder, but it silently installs additional dependencies and plants broad agent instructions in the target repository. Its generated PowerShell deployment script reads local environment files, fetches the machine’s public IP, builds a report that can contain failure details, and POSTs it with a hard-coded chat identifier to an external Mediqueue endpoint. This is a concrete, package-supplied data-exfiltration path activated by the generated deployment workflow.
Rationale
Although no lifecycle hook runs at install, the source contains a concrete externally directed reporting channel that transmits host and deployment data after the package’s generated script is used. The hard-coded recipient and unrelated project-specific telemetry exceed normal generic scaffolding behavior.
Evidence
package.jsonbin/index.jsdeploy.ps1README.mdSKILL.mdAGENTS.md.agents/workflows/git-it.md.agents/workflows/deploy-and-talk.md