registry  /  impel-cli  /  0.14.0

impel-cli@0.14.0

Configure Claude Code and Codex CLI to talk to Impel's gateway, authenticated by an Impel Personal Access Token

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `impel use`, `impel agents sync`, `impel mcp`, `impel claude`, `impel codex`, or app-management commands.
Impact
Can alter selected AI-client configuration and expose user-initiated MCP requests to the configured gateway; this is a real agent-control capability but is not covert malware behavior.
Mechanism
User-invoked AI-client configuration, authenticated gateway proxying, and managed agent-profile writes.
Rationale
No concrete malicious chain was found, but the package deliberately changes AI-agent client control surfaces and proxies authenticated requests after explicit commands. Per policy, this warrants a warning rather than a block.
Evidence
package.jsonbin/impel.jssrc/claudeSetup.jssrc/codexSetup.jssrc/agents.jssrc/commands/mcp.jssrc/apps.jssrc/updates.js~/.config/impel/config.json~/.claude/settings.json~/.claude.json~/.codex/config.toml
Network endpoints5
gateway.useimpel.comwww.useimpel.comregistry.npmjs.orgdownloads.claude.aipersistent.oaistatic.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/claudeSetup.js` can merge an Impel API helper, gateway URL, and `impel` MCP entry into native Claude configuration.
  • `src/agents.js` fetches an authenticated tenant agent catalog and writes managed Claude/Codex agent profiles.
  • `src/commands/mcp.js` proxies JSON-RPC with the configured tenant bearer credential to `<gateway>/mcp`.
  • `src/apps.js` downloads, modifies, signs, and launches isolated vendor desktop-app wrappers after explicit app commands.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or other lifecycle hook.
  • `bin/impel.js` only dispatches the user-invoked CLI; there is no import-time execution path.
  • Network requests target configured Impel services and npm update metadata, not hidden third-party endpoints.
  • The inspected process launches use explicit CLI/platform-tool paths; no eval, VM execution, or remote payload loader was found.
  • Credential/config writes use owner-only modes and managed profile roots, with symlink checks in agent/Codex helpers.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 38 file(s), 402 KB of source, external domains: apps.microsoft.com, claude.com, downloads.claude.ai, gateway.useimpel.ai, gateway.useimpel.com, persistent.oaistatic.com, registry.npmjs.org, www.apple.com, www.useimpel.com

Source & flagged code

5 flagged · loading source
src/codesign.jsView file
26import crypto from "node:crypto"; L27: import { spawnSync } from "node:child_process"; L28:
High
Child Process

Package source references child process execution.

src/codesign.jsView on unpkg · L26
src/commands/update.jsView file
210if (io.platform === "win32") { L211: console.error(" Verify `npm --version` in PowerShell, then retry `impel update`."); L212: console.error(" Manual recovery: `npm install --global impel-cli@latest`.");
High
Shell

Package source references shell execution.

src/commands/update.jsView on unpkg · L210
src/apps.jsView file
1647if (process.type === "browser" && displayName) { L1648: const Module = require("node:module"); L1649: const path = require("node:path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/apps.jsView on unpkg · L1647
src/updates.jsView file
11import path from "node:path"; L12: import { spawn } from "node:child_process"; L13: import { fileURLToPath } from "node:url"; ... L21: const DEFAULT_UPDATE_PACKAGE = "impel-cli"; L22: const DEFAULT_UPDATE_REGISTRY = "https://registry.npmjs.org"; L23: const VERSION_RE = /^(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?(?:\+[0-9A-Za-z.-]+)?$/u; ... L25: export function updatePackage() { L26: return process.env.IMPEL_UPDATE_PACKAGE || DEFAULT_UPDATE_PACKAGE; L27: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/updates.jsView on unpkg · L11
src/gateway/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = impel-cli@0.13.2 matchedIdentity = npm:aW1wZWwtY2xp:0.13.2 similarity = 0.973 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/gateway/index.jsView on unpkg

Findings

4 High3 Medium5 Low
HighChild Processsrc/codesign.js
HighShellsrc/commands/update.js
HighSame File Env Network Executionsrc/updates.js
HighPrevious Version Dangerous Deltasrc/gateway/index.js
MediumDynamic Requiresrc/apps.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License