registry  /  imhcode  /  1.0.5

imhcode@1.0.5

IMH-Code — Imam Hussain Coding Harness Platform. A fast-first multi-agent AI coding framework with intelligent model routing. 19 generic role-based agents (planner, nextjs-executor, laravel-executor, etc.), configurable testing strategy, and 7 token-savin

AI Security Review

scanned 18m ago · by lpm-firewall-ai

User-invoked initialization writes persistent IMH-Code guidance and skills into multiple global AI assistant configuration directories, and later live execution can run local AI CLIs with permission bypass flags. This is dangerous agent-platform behavior but not npm lifecycle hijacking.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs imhcode init or imhcode agent run/execute with live routed engines.
Impact
Can broadly steer local AI assistants and execute generated agent tasks with reduced approval/sandbox protections after user invocation.
Mechanism
global AI-agent config mutation and permission-bypassing CLI orchestration
Attack narrative
The package is an AI coding orchestration platform. When the user runs the CLI init path, it overwrites or creates global assistant instructions/skills for Claude, Gemini/Antigravity, and Copilot, installs shell shims, may install a global skills CLI, and configures agent model routing. Live task execution can invoke local AI CLIs with dangerous permission bypass flags. This is not automatic npm-install malware, but it creates a broad persistent AI-agent control surface.
Rationale
Static inspection confirms risky, persistent, user-invoked AI-agent setup and permission-bypass orchestration, but no lifecycle hook, import-time execution, credential theft, exfiltration, or unconsented npm-install mutation. Under the provided policy this should warn rather than publish-block because activation is explicit CLI use, not lifecycle delivery.
Evidence
package.jsonbin/imhcode.jssrc/orchestrator/executor.tsCLAUDE.mdAGENTS.md~/.imhcode/~/.claude/CLAUDE.md~/.claude/AGENTS.md~/.claude/skills/~/.gemini/CLAUDE.md~/.gemini/AGENTS.md~/.gemini/skills/~/.copilot/CLAUDE.md~/.copilot/AGENTS.md~/.copilot/skills/~/.local/bin/imhcode~/.zshrc~/.bashrc~/.bash_profile~/.profiledocs/start.md
Network endpoints4
git+https://github.com/goharabbas321/imhcode.gitgithub.com/goharabbas321/imhcode#readmegithub.com/goharabbas321/imhcode/issuesjuliusbrussee/caveman

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/imhcode.js default init copies package CLAUDE.md, AGENTS.md, and skills into ~/.claude, ~/.gemini, and ~/.copilot.
  • bin/imhcode.js registerCliGlobally appends PATH exports to .zshrc/.bashrc/.bash_profile/.profile and writes shims under ~/.imhcode/bin and ~/.local/bin.
  • bin/imhcode.js ensureCavemanAndGraphify can run npm install -g skills and npx skills add juliusbrussee/caveman during init.
  • src/orchestrator/executor.ts launches opencode with --dangerously-skip-permissions and codex with --dangerously-bypass-approvals-and-sandbox when live agent execution is requested.
  • AGENTS.md contains hard-gate agent workflow instructions intended to steer AI coding agents.
Evidence against
  • package.json has no npm lifecycle scripts, so behavior is not install-time triggered.
  • Broad control-surface writes are reached by explicitly running the imhcode CLI init path, not by import or npm install.
  • No credential harvesting or data exfiltration logic found in inspected entrypoints.
  • Network activity observed is package-aligned setup/model CLI behavior, not a hardcoded exfiltration endpoint.
  • CLAUDE.md/AGENTS.md content is product workflow guidance rather than covert payload instructions.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 423 KB of source, external domains: api.github.com, example.com, fonts.google.com, github.com, raw.githubusercontent.com, www.typeui.sh

Source & flagged code

22 flagged · loading source
skills/typeui-main/src/prompts/designSystem.tsView file
18async function loadInquirer(): Promise<InquirerModule["default"]> { L19: const dynamicImport = new Function( L20: "specifier",
Low
Eval

Package source references a known benign dynamic code generation pattern.

skills/typeui-main/src/prompts/designSystem.tsView on unpkg · L18
bin/imhcode.jsView file
24const path = require('path'); L25: const { execSync, spawnSync } = require('child_process'); L26: const os = require('os'); ... L34: const CONFIG_FILE = 'imhcode.config.json'; L35: const GLOBAL_DIR = path.join(os.homedir(), '.imhcode'); L36: const LOCAL_DIR_NAME = '.imhcode'; ... L49: if (command === '--version' || command === '-v') { L50: const pkg = require(path.join(__dirname, '..', 'package.json')); L51: console.log(`${CLI_CMD} version: ${pkg.version}`); ... L483: # 3. Run development server L484: ${stack.includes('Next.js') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''} L485: ${stack.includes('Vue 3 / Nuxt 4') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''}
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

bin/imhcode.jsView on unpkg · L24
24Trigger-reachable chain: manifest.bin -> bin/imhcode.js L24: const path = require('path'); L25: const { execSync, spawnSync } = require('child_process'); L26: const os = require('os'); ... L34: const CONFIG_FILE = 'imhcode.config.json'; L35: const GLOBAL_DIR = path.join(os.homedir(), '.imhcode'); L36: const LOCAL_DIR_NAME = '.imhcode'; ... L49: if (command === '--version' || command === '-v') { L50: const pkg = require(path.join(__dirname, '..', 'package.json')); L51: console.log(`${CLI_CMD} version: ${pkg.version}`); ... L483: # 3. Run development server L484: ${stack.includes('Next.js') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''} L485: ${stack.includes('Vue 3 / Nuxt 4') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''}
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/imhcode.jsView on unpkg · L24
matchType = previous_version_dangerous_delta matchedPackage = imhcode@1.0.0 matchedIdentity = npm:aW1oY29kZQ:1.0.0 similarity = 0.947 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/imhcode.jsView on unpkg
24Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: sensitive-file+network, execution+network L24: const path = require('path'); L25: const { execSync, spawnSync } = require('child_process'); L26: const os = require('os'); ... L34: const CONFIG_FILE = 'imhcode.config.json'; L35: const GLOBAL_DIR = path.join(os.homedir(), '.imhcode'); L36: const LOCAL_DIR_NAME = '.imhcode'; ... L49: if (command === '--version' || command === '-v') { L50: const pkg = require(path.join(__dirname, '..', 'package.json')); L51: console.log(`${CLI_CMD} version: ${pkg.version}`); ... L483: # 3. Run development server L484: ${stack.includes('Next.js') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''} L485: ${stack.includes('Vue 3 / Nuxt 4') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''}
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/imhcode.jsView on unpkg · L24
22L23: const fs = require('fs'); L24: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/imhcode.jsView on unpkg · L22
skills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.pyView file
path = skills/ui-ux-pro-max/.[redacted].py kind = payload_in_excluded_dir sizeBytes = 19430 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

skills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.pyView on unpkg
path = skills/ui-ux-pro-max/.[redacted].py kind = build_helper sizeBytes = 19430 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.pyView on unpkg
skills/theme-factory/theme-showcase.pdfView file
path = skills/theme-factory/theme-showcase.pdf kind = high_entropy_blob sizeBytes = 124310 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

skills/theme-factory/theme-showcase.pdfView on unpkg
skills/graphify/skill-windows.mdView file
681patternName = generic_password severity = medium line = 681 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-windows.md

skills/graphify/skill-windows.mdView on unpkg · L681
skills/graphify/skill-trae.mdView file
592patternName = generic_password severity = medium line = 592 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-trae.md

skills/graphify/skill-trae.mdView on unpkg · L592
skills/graphify/skill-pi.mdView file
543patternName = generic_password severity = medium line = 543 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-pi.md

skills/graphify/skill-pi.mdView on unpkg · L543
skills/graphify/skill-codex.mdView file
605patternName = generic_password severity = medium line = 605 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-codex.md

skills/graphify/skill-codex.mdView on unpkg · L605
skills/graphify/skill-kiro.mdView file
543patternName = generic_password severity = medium line = 543 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-kiro.md

skills/graphify/skill-kiro.mdView on unpkg · L543
skills/graphify/skill-copilot.mdView file
603patternName = generic_password severity = medium line = 603 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-copilot.md

skills/graphify/skill-copilot.mdView on unpkg · L603
skills/graphify/skill-opencode.mdView file
655patternName = generic_password severity = medium line = 655 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-opencode.md

skills/graphify/skill-opencode.mdView on unpkg · L655
skills/graphify/skill-aider.mdView file
544patternName = generic_password severity = medium line = 544 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-aider.md

skills/graphify/skill-aider.mdView on unpkg · L544
skills/graphify/skill-claw.mdView file
544patternName = generic_password severity = medium line = 544 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-claw.md

skills/graphify/skill-claw.mdView on unpkg · L544
skills/graphify/skill-droid.mdView file
600patternName = generic_password severity = medium line = 600 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-droid.md

skills/graphify/skill-droid.mdView on unpkg · L600
skills/django-tdd/SKILL.mdView file
25patternName = generic_password severity = medium line = 25 matchedText = user = U...23')
Medium
Secret Pattern

Hardcoded password in skills/django-tdd/SKILL.md

skills/django-tdd/SKILL.mdView on unpkg · L25
117patternName = generic_password severity = medium line = 117 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in skills/django-tdd/SKILL.md

skills/django-tdd/SKILL.mdView on unpkg · L117
126patternName = generic_password severity = medium line = 126 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in skills/django-tdd/SKILL.md

skills/django-tdd/SKILL.mdView on unpkg · L126

Findings

3 Critical3 High17 Medium5 Low
CriticalPersistence Backdoorbin/imhcode.js
CriticalTrigger Reachable Dangerous Capabilitybin/imhcode.js
CriticalPrevious Version Dangerous Deltabin/imhcode.js
HighEntrypoint Build Divergencebin/imhcode.js
HighShips High Entropy Blobskills/theme-factory/theme-showcase.pdf
HighPayload In Excluded Dirskills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.py
MediumDynamic Requirebin/imhcode.js
MediumNetwork
MediumShips Build Helperskills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.py
MediumStructural Risk Force Deep Review
MediumSecret Patternskills/graphify/skill-windows.md
MediumSecret Patternskills/graphify/skill-trae.md
MediumSecret Patternskills/graphify/skill-pi.md
MediumSecret Patternskills/graphify/skill-codex.md
MediumSecret Patternskills/graphify/skill-kiro.md
MediumSecret Patternskills/graphify/skill-copilot.md
MediumSecret Patternskills/graphify/skill-opencode.md
MediumSecret Patternskills/graphify/skill-aider.md
MediumSecret Patternskills/graphify/skill-claw.md
MediumSecret Patternskills/graphify/skill-droid.md
MediumSecret Patternskills/django-tdd/SKILL.md
MediumSecret Patternskills/django-tdd/SKILL.md
MediumSecret Patternskills/django-tdd/SKILL.md
LowScripts Present
LowEvalskills/typeui-main/src/prompts/designSystem.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings