registry  /  instar  /  1.3.731

instar@1.3.731

Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Instar is an AI-agent platform that can scaffold Claude/Codex hooks, MCP configuration, skills, and permission-bypass oriented sessions. The risky control-surface changes are tied to explicit CLI initialization, while install-time code is limited to native dependency repair.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall repair; instar init/setup activates agent scaffolding
Impact
Initialized projects can gain standing Claude/Codex hooks, auto-approval behavior, and @latest Playwright MCP registration; no confirmed unconsented install-time hijack
Mechanism
user-invoked agent extension scaffolding plus package-aligned native dependency repair
Policy narrative
The package is a real agent framework with powerful Claude/Codex integration. Its CLI initialization installs hooks, skills, MCP config, and auto-approval oriented behavior into the project and Claude local config, which is dangerous if misunderstood. However, source inspection did not find the blockable pattern of npm lifecycle code silently modifying foreign AI-agent control surfaces; postinstall is a better-sqlite3 repair script.
Rationale
Because the dangerous agent-control changes are package-aligned and user-invoked rather than unconsented lifecycle mutation, this is warning-level agent extension lifecycle risk rather than confirmed malware. The postinstall shell/network behavior is dependency repair, not exfiltration or persistence.
Evidence
package.jsonscripts/fix-better-sqlite3.cjsdist/commands/init.jsdist/core/installCodexHooks.jsdist/core/frameworkSessionLaunch.jsskills/credential-leak-detector/SKILL.mdbetter-sqlite3/.instar-fix-state.jsonbetter-sqlite3/build.claude/settings.json.codex/hooks.json.mcp.json~/.claude.json.instar/hooks/instar/
Network endpoints2
github.com/WiseLibs/better-sqlite3/releases/download/localhost

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js registers Claude hooks, including PermissionRequest auto-approve, during user-invoked init.
  • dist/commands/init.js writes ~/.claude.json project MCP config and .mcp.json with npx -y @playwright/mcp@latest.
  • dist/core/installCodexHooks.js writes per-project .codex/hooks.json for Codex enforcement hooks.
  • dist/core/frameworkSessionLaunch.js contains Claude/Codex launch paths using permission/sandbox bypass flags.
Evidence against
  • package.json postinstall only runs scripts/fix-better-sqlite3.cjs.
  • scripts/fix-better-sqlite3.cjs repairs better-sqlite3 native binaries and writes only dependency build/state files.
  • No npm lifecycle path found that plants Claude/Codex hooks, .mcp.json, or ~/.claude.json without init/setup.
  • Included .claude skills/hooks are package-aligned agent framework assets rather than hidden exfiltration payloads.
  • Credential-looking strings in skills/credential-leak-detector/SKILL.md are documented detection examples.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,537 file(s), 19.8 MB of source, external domains: 127.0.0.1, abc123.trycloudflare.com, api.anthropic.com, api.cloudflare.com, api.github.com, api.groq.com, api.mail.tm, api.openai.com, api.slack.com, api.telegra.ph, api.telegram.org, blob.vercel-storage.com, bot-me.ai, brew.sh, cli.github.com, console.cloud.google.com, dawn.bot-me.ai, docs.anthropic.com, en.wikipedia.org, feedback.dawn-tunnel.dev, files.slack.com, git-scm.com, github.com, graph.facebook.com, instar-telemetry.sagemind-ai.workers.dev, instar.sh, myapp.vercel.app, nodejs.org, platform.claude.com, raw.githubusercontent.com, sagemindai.io, sentry.io, slack.com, staging.myapp.com, telegra.ph, threadline-relay.fly.dev, web.telegram.org, www.apple.com, www.npmjs.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-better-sqlite3.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
skills/credential-leak-detector/SKILL.mdView file
27patternName = aws_access_key severity = critical line = 27 matchedText = | AWS ac...F` |
Critical
Critical Secret

Package contains a critical-looking secret pattern.

skills/credential-leak-detector/SKILL.mdView on unpkg · L27
27patternName = aws_access_key severity = critical line = 27 matchedText = | AWS ac...F` |
Critical
Secret Pattern

AWS access key ID in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L27
28patternName = github_pat severity = critical line = 28 matchedText = | GitHub...x` |
Critical
Secret Pattern

GitHub personal access token in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L28
31patternName = private_key_rsa severity = critical line = 31 matchedText = | PEM pr...-` |
Critical
Secret Pattern

RSA private key in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L31
dist/threadline/PipeSessionSpawner.jsView file
15*/ L16: import { execSync } from 'node:child_process'; L17: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

dist/threadline/PipeSessionSpawner.jsView on unpkg · L15
281// Spawn tmux session L282: execSync(`tmux new-session -d -s "${sessionName}" -x 200 -y 50 'bash -c "${shellCmd.replace(/"/g, '\\"')}"'`, { timeout: 10_000 }); L283: // Wait for session to be created
High
Shell

Package source references shell execution.

dist/threadline/PipeSessionSpawner.jsView on unpkg · L281
dist/memory/SemanticMemory.jsView file
428// better-sqlite3 loads its native binding at module-load time, so a L429: // NODE_MODULE_VERSION mismatch throws inside `await import(...)`. The L430: // healer rebuilds better-sqlite3 synchronously and retries once. See PROP-399.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/memory/SemanticMemory.jsView on unpkg · L428
skills/spec-converge/scripts/publish-spec-review.mjsView file
20* --spec docs/specs/FOO-SPEC.md \ L21: * --pr https://github.com/JKHeadley/instar/pull/670 \ L22: * --topic 12476 [--send] ... L30: import path from 'node:path'; L31: import { spawnSync } from 'node:child_process'; L32: import { checkEli16Overview } from '../../../scripts/eli16-overview-check.mjs'; L33: L34: export const API_PORT = Number(process.env.INSTAR_PORT) || 4042; L35:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

skills/spec-converge/scripts/publish-spec-review.mjsView on unpkg · L20
dist/core/upgradeAnnouncement.jsView file
19contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER_RE = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/core/upgradeAnnouncement.jsView on unpkg · L19
.claude/hooks/free-text-guard.shView file
path = .claude/hooks/free-text-guard.sh kind = payload_in_excluded_dir sizeBytes = 3888 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/hooks/free-text-guard.shView on unpkg
path = .claude/hooks/free-text-guard.sh kind = build_helper sizeBytes = 3888 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude/hooks/free-text-guard.shView on unpkg

Findings

5 Critical5 High5 Medium6 Low
CriticalCritical Secretskills/credential-leak-detector/SKILL.md
CriticalTrojan Source Unicodedist/core/upgradeAnnouncement.js
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/threadline/PipeSessionSpawner.js
HighShelldist/threadline/PipeSessionSpawner.js
HighSame File Env Network Executionskills/spec-converge/scripts/publish-spec-review.mjs
HighPayload In Excluded Dir.claude/hooks/free-text-guard.sh
MediumDynamic Requiredist/memory/SemanticMemory.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.claude/hooks/free-text-guard.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings