registry  /  instar  /  1.3.713

instar@1.3.713

Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found by source inspection. Residual risk is a first-party AI-agent platform that installs project-scoped Claude/Codex hooks and can arm project hook trust during explicit setup/update flows.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install for native dependency repair; user-invoked instar init/setup/server/update flows for agent hooks and relay features
Impact
May modify project .claude/.codex/instar files and better-sqlite3 native artifacts; no unconsented install-time foreign agent hijack confirmed
Mechanism
package-aligned lifecycle repair plus first-party project-scoped agent hook installation
Policy narrative
The package ships an AI-agent platform with Claude/Codex hook infrastructure and a postinstall native dependency repair script. The lifecycle script may fetch a better-sqlite3 prebuild from GitHub or rebuild the dependency, but it does not plant agent instructions or hooks. Agent control-surface writes are project-scoped and occur in explicit init/update/server flows, with checks intended to preserve user hooks and avoid global Codex hook registration.
Rationale
This is not clean because it contains substantial agent extension lifecycle capability and project hook arming, but the inspected install-time path does not perform unconsented foreign/broad AI-agent control-surface mutation. Treat as warn-only first-party agent extension lifecycle risk rather than publish-block malware.
Evidence
package.jsonscripts/fix-better-sqlite3.cjsdist/commands/init.jsdist/core/installCodexHooks.jsdist/core/codexHookArm.jsdist/threadline/ThreadlineBootstrap.js.claude/skills/autonomous/hooks/autonomous-stop-hook.sh.claude/hooks/free-text-guard.shnode_modules/better-sqlite3/.instar-fix-state.jsonnode_modules/better-sqlite3/build/tmp/better-sqlite3-*.tar.gz.instar/**.claude/settings.json.codex/hooks.json$HOME/.codex/config.toml
Network endpoints3
github.com/WiseLibs/better-sqlite3/releases/download/localhost:<port>DEFAULT_RELAY_URL

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json has postinstall: node scripts/fix-better-sqlite3.cjs
  • scripts/fix-better-sqlite3.cjs downloads better-sqlite3 prebuilds from github.com during install if native binary fails
  • dist/core/installCodexHooks.js writes project .codex/hooks.json with multiple agent hooks
  • dist/core/codexHookArm.js can arm those hooks by driving Codex trust flow and reading $HOME/.codex/config.toml
  • dist/commands/init.js creates .claude/settings.json and refreshes Claude/Codex hooks during user-invoked init/update flows
  • dist/threadline/ThreadlineBootstrap.js can register/connect Threadline MCP/relay at runtime when server is started
Evidence against
  • No install-time code writes .claude, .codex, CLAUDE.md, or broad agent control surfaces; postinstall only targets better-sqlite3 repair
  • Codex hooks are scoped to projectDir/.codex/hooks.json, with comments and checks rejecting global ~/.codex/hooks.json mutation
  • armCodexHooks verifies hooks are instar-owned before trust arming and does not use dangerous sandbox bypass flags
  • Packaged .claude skills/hooks are inert until user-invoked setup/init/autonomous flows
  • dist/index.js is export-only and does not perform import-time side effects
  • Scanner secret/unicode hints map to security skill docs/parsing code, not credential harvesting or exfiltration
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,516 file(s), 19.2 MB of source, external domains: 127.0.0.1, abc123.trycloudflare.com, api.anthropic.com, api.cloudflare.com, api.github.com, api.groq.com, api.mail.tm, api.openai.com, api.slack.com, api.telegra.ph, api.telegram.org, blob.vercel-storage.com, bot-me.ai, brew.sh, cli.github.com, console.cloud.google.com, dawn.bot-me.ai, docs.anthropic.com, en.wikipedia.org, feedback.dawn-tunnel.dev, files.slack.com, git-scm.com, github.com, graph.facebook.com, instar-telemetry.sagemind-ai.workers.dev, instar.sh, myapp.vercel.app, nodejs.org, platform.claude.com, raw.githubusercontent.com, sagemindai.io, sentry.io, slack.com, staging.myapp.com, telegra.ph, threadline-relay.fly.dev, web.telegram.org, www.apple.com, www.npmjs.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-better-sqlite3.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
skills/credential-leak-detector/SKILL.mdView file
27patternName = aws_access_key severity = critical line = 27 matchedText = | AWS ac...F` |
Critical
Critical Secret

Package contains a critical-looking secret pattern.

skills/credential-leak-detector/SKILL.mdView on unpkg · L27
27patternName = aws_access_key severity = critical line = 27 matchedText = | AWS ac...F` |
Critical
Secret Pattern

AWS access key ID in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L27
28patternName = github_pat severity = critical line = 28 matchedText = | GitHub...x` |
Critical
Secret Pattern

GitHub personal access token in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L28
31patternName = private_key_rsa severity = critical line = 31 matchedText = | PEM pr...-` |
Critical
Secret Pattern

RSA private key in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L31
dist/threadline/PipeSessionSpawner.jsView file
15*/ L16: import { execSync } from 'node:child_process'; L17: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

dist/threadline/PipeSessionSpawner.jsView on unpkg · L15
281// Spawn tmux session L282: execSync(`tmux new-session -d -s "${sessionName}" -x 200 -y 50 'bash -c "${shellCmd.replace(/"/g, '\\"')}"'`, { timeout: 10_000 }); L283: // Wait for session to be created
High
Shell

Package source references shell execution.

dist/threadline/PipeSessionSpawner.jsView on unpkg · L281
dist/memory/SemanticMemory.jsView file
428// better-sqlite3 loads its native binding at module-load time, so a L429: // NODE_MODULE_VERSION mismatch throws inside `await import(...)`. The L430: // healer rebuilds better-sqlite3 synchronously and retries once. See PROP-399.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/memory/SemanticMemory.jsView on unpkg · L428
skills/spec-converge/scripts/publish-spec-review.mjsView file
20* --spec docs/specs/FOO-SPEC.md \ L21: * --pr https://github.com/JKHeadley/instar/pull/670 \ L22: * --topic 12476 [--send] ... L30: import path from 'node:path'; L31: import { spawnSync } from 'node:child_process'; L32: import { checkEli16Overview } from '../../../scripts/eli16-overview-check.mjs'; L33: L34: export const API_PORT = Number(process.env.INSTAR_PORT) || 4042; L35:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

skills/spec-converge/scripts/publish-spec-review.mjsView on unpkg · L20
dist/core/upgradeAnnouncement.jsView file
19contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER_RE = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/core/upgradeAnnouncement.jsView on unpkg · L19
.claude/hooks/free-text-guard.shView file
path = .claude/hooks/free-text-guard.sh kind = payload_in_excluded_dir sizeBytes = 3888 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/hooks/free-text-guard.shView on unpkg
path = .claude/hooks/free-text-guard.sh kind = build_helper sizeBytes = 3888 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude/hooks/free-text-guard.shView on unpkg

Findings

5 Critical5 High5 Medium6 Low
CriticalCritical Secretskills/credential-leak-detector/SKILL.md
CriticalTrojan Source Unicodedist/core/upgradeAnnouncement.js
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/threadline/PipeSessionSpawner.js
HighShelldist/threadline/PipeSessionSpawner.js
HighSame File Env Network Executionskills/spec-converge/scripts/publish-spec-review.mjs
HighPayload In Excluded Dir.claude/hooks/free-text-guard.sh
MediumDynamic Requiredist/memory/SemanticMemory.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.claude/hooks/free-text-guard.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings