AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Instar is an AI-agent platform that can scaffold Claude/Codex hooks, MCP configuration, skills, and permission-bypass oriented sessions. The risky control-surface changes are tied to explicit CLI initialization, while install-time code is limited to native dependency repair.
Decision evidence
public snapshot- dist/commands/init.js registers Claude hooks, including PermissionRequest auto-approve, during user-invoked init.
- dist/commands/init.js writes ~/.claude.json project MCP config and .mcp.json with npx -y @playwright/mcp@latest.
- dist/core/installCodexHooks.js writes per-project .codex/hooks.json for Codex enforcement hooks.
- dist/core/frameworkSessionLaunch.js contains Claude/Codex launch paths using permission/sandbox bypass flags.
- package.json postinstall only runs scripts/fix-better-sqlite3.cjs.
- scripts/fix-better-sqlite3.cjs repairs better-sqlite3 native binaries and writes only dependency build/state files.
- No npm lifecycle path found that plants Claude/Codex hooks, .mcp.json, or ~/.claude.json without init/setup.
- Included .claude skills/hooks are package-aligned agent framework assets rather than hidden exfiltration payloads.
- Credential-looking strings in skills/credential-leak-detector/SKILL.md are documented detection examples.
Source & flagged code
12 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
skills/credential-leak-detector/SKILL.mdView on unpkg · L27AWS access key ID in skills/credential-leak-detector/SKILL.md
skills/credential-leak-detector/SKILL.mdView on unpkg · L27GitHub personal access token in skills/credential-leak-detector/SKILL.md
skills/credential-leak-detector/SKILL.mdView on unpkg · L28RSA private key in skills/credential-leak-detector/SKILL.md
skills/credential-leak-detector/SKILL.mdView on unpkg · L31Package source references child process execution.
dist/threadline/PipeSessionSpawner.jsView on unpkg · L15Package source references shell execution.
dist/threadline/PipeSessionSpawner.jsView on unpkg · L281Package source references dynamic require/import behavior.
dist/memory/SemanticMemory.jsView on unpkg · L428A single source file combines environment access, network access, and code or shell execution; review context before blocking.
skills/spec-converge/scripts/publish-spec-review.mjsView on unpkg · L20Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/core/upgradeAnnouncement.jsView on unpkg · L19Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/hooks/free-text-guard.shView on unpkgPackage ships non-JavaScript build or shell helper files.
.claude/hooks/free-text-guard.shView on unpkg