registry  /  hatch3r  /  2.2.0

hatch3r@2.2.0

Agentic coding setup framework audited each release across 24 governance domains. One command to hatch your agent stack -- agents, skills, rules, commands, and MCP for Claude Code, Cursor, and GitHub Copilot.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface; the package is a first-party agent setup CLI that explicitly writes AI-agent configuration when invoked. This creates lifecycle/control-surface risk but not unconsented install-time hijack.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs hatch3r init, sync, update, mcp setup, setup, or worktree-setup.
Impact
Can modify project AI-agent behavior and MCP configuration under managed repo paths; user opt-in is required for the reviewed paths.
Mechanism
explicit repository agent configuration generation and managed hook emission
Rationale
Static source inspection supports a warning for explicit first-party AI-agent control-surface setup, not a publish block. The scanner's malicious label appears to conflate documented user-invoked agent configuration and safety hooks with unconsented install-time hijack.
Evidence
package.jsonREADME.mddist/cli/index.js.hatch3r/CLAUDE.md.claude/.claude/settings.json.claude/hooks/pretooluse-allowlist.mjs.claude/hooks/agent-tool-policies.json.cursor/.cursor/mcp.json.cursor/hooks/subagent-guard.mjs.mcp.json.vscode/mcp.json.github/
Network endpoints4
github.com/hatch3r/hatch3r.gitdocs.hatch3r.comregistry.npmjs.orggithub.com/hatch3r/hatch3r/issues

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js registers user-invoked init/sync/update/mcp commands that generate agent configuration into repos.
  • dist/cli/index.js emits Claude Code and Cursor control-surface files including .claude/settings.json, .claude/hooks/pretooluse-allowlist.mjs, .cursor/hooks/subagent-guard.mjs, .mcp.json, .cursor/mcp.json, and .vscode/mcp.json.
  • dist/cli/index.js writes Claude hooks that can echo hatch3r agent activation directives and, when worktree support is enabled, run npx hatch3r worktree-setup.
  • dist/cli/index.js includes update-notifier runtime update checks unless HATCH3R_NO_UPDATE_CHECK or --no-update-check is set.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hook; prepublishOnly is publish-time build cleanup only.
  • README.md documents the package purpose as an explicit agent setup CLI and documents generated .claude/.cursor/.github/MCP outputs.
  • MCP setup is opt-in per README.md and DEFAULT_FEATURES.mcp is false in dist/cli/index.js.
  • Filesystem writes are behind explicit CLI commands and use managed-block/safeWrite logic rather than install-time mutation.
  • No credential harvesting or exfiltration flow found; env vars are documented MCP placeholders and .env.mcp is preserved on clean.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.20 MB of source, external domains: aka.ms, ast-grep.github.io, brave.com, cli.github.com, code.claude.com, code.visualstudio.com, comby.dev, csvkit.readthedocs.io, curl.se, cursor.com, dev.azure.com, difftastic.wilfred.me.uk, docs.docker.com, docs.github.com, docs.hatch3r.com, duckdb.org, example.test, get.docker.com, github.com, gitlab.com, httpie.io, install.duckdb.org, learn.microsoft.com, linear.app, llm.datasette.io, miller.readthedocs.io, playwright.dev, podman.io, raw.githubusercontent.com, rtk.dev, sentry.io, taplo.tamasfe.dev

Source & flagged code

3 flagged · loading source
dist/cli/index.jsView file
893contains invisible/control Unicode U+FEFF (zero width no-break space) return nfkd.replace(/[\u0300-\u036F]/g, "").replace(/[\u0100-\u024F\u0370-\u03FF\u0400-\u04FF\u0530-\u058F\u10D0-\u10FF\u13A0-\u13FF\u2C80-\u2CFF]/g, (ch) => HOMOGLYPH_MAP[ch] ?? ch).replace(/[\u{10400}-\u{1044F}\u{104B0}-\u{104FF}]/gu, (
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/cli/index.jsView on unpkg · L893
Trigger-reachable chain: manifest.bin -> dist/cli/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg
28const here = fileURLToPath11(import.meta.url); L29: const pkgPath = resolve10(dirname28(here), "..", "package.json"); L30: const raw = readFileSync5(pkgPath, "utf8"); L31: const parsed = JSON.parse(raw); L32: return parsed.version ?? "0.0.0-dev"; ... L146: indent: 2, L147: stream: process.stderr L148: }); ... L170: function supportsUnicode() { L171: if (process.env.HATCH3R_ASCII === "1") return false; L172: if (process.platform !== "win32") return true; L173: if (process.env.CI !== void 0) return true;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L28

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings