registry  /  instar  /  1.3.733

instar@1.3.733

Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall for native repair; explicit instar setup/init/server usage for agent features
Impact
Potentially powerful local agent automation when the user opts into setup, but no unconsented lifecycle mutation of foreign/global agent control surfaces was found.
Mechanism
package-aligned native rebuild/download and user-invoked agent extension scaffolding
Rationale
Source inspection shows high-risk agent functionality, but the npm lifecycle hook only repairs a package dependency and the Claude/Codex control-surface writes are explicit setup/init behavior. This supports a warning for dangerous agent extension capability, not a malicious publish block.
Evidence
package.jsonscripts/fix-better-sqlite3.cjsdist/commands/setup.jsdist/commands/init.jsdist/core/installCodexHooks.jsdist/threadline/PipeSessionSpawner.js.claude/hooks/instar/before-prompt-recall.jsnode_modules/better-sqlite3/.instar-fix-state.jsonnode_modules/better-sqlite3/buildCLAUDE.md.instar/AGENT.md.instar/USER.md.instar/MEMORY.md.claude/settings.json.codex/hooks.json
Network endpoints2
github.com/WiseLibs/better-sqlite3/releases/download/localhost:4042/internal/prompt-recall

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/fix-better-sqlite3.cjs
  • scripts/fix-better-sqlite3.cjs can curl a better-sqlite3 prebuild from GitHub and run npm rebuild
  • dist/commands/setup.js warns it runs Claude/Codex with permission/sandbox bypass flags
  • dist/core/installCodexHooks.js writes per-project .codex/hooks.json for Instar hook enforcement
  • package.json ships .claude skills/hooks content
Evidence against
  • postinstall is scoped to repairing better-sqlite3 native binary, not agent-control-surface mutation
  • AI agent hooks and CLAUDE/Codex files are installed by explicit CLI setup/init flows, not npm install
  • installCodexHooks.js documents per-project .codex/hooks.json, not global ~/.codex hooks
  • PipeSessionSpawner scrubs provider keys before spawning headless sessions
  • No credential harvesting or external exfiltration endpoint found in inspected hot files
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,541 file(s), 20.0 MB of source, external domains: 127.0.0.1, abc123.trycloudflare.com, api.anthropic.com, api.cloudflare.com, api.github.com, api.groq.com, api.mail.tm, api.openai.com, api.slack.com, api.telegra.ph, api.telegram.org, blob.vercel-storage.com, bot-me.ai, brew.sh, cli.github.com, console.cloud.google.com, dawn.bot-me.ai, docs.anthropic.com, en.wikipedia.org, feedback.dawn-tunnel.dev, files.slack.com, git-scm.com, github.com, graph.facebook.com, instar-telemetry.sagemind-ai.workers.dev, instar.sh, myapp.vercel.app, nodejs.org, platform.claude.com, raw.githubusercontent.com, sagemindai.io, sentry.io, slack.com, staging.myapp.com, telegra.ph, threadline-relay.fly.dev, web.telegram.org, www.apple.com, www.npmjs.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-better-sqlite3.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
skills/credential-leak-detector/SKILL.mdView file
27patternName = aws_access_key severity = critical line = 27 matchedText = | AWS ac...F` |
Critical
Critical Secret

Package contains a critical-looking secret pattern.

skills/credential-leak-detector/SKILL.mdView on unpkg · L27
27patternName = aws_access_key severity = critical line = 27 matchedText = | AWS ac...F` |
Critical
Secret Pattern

AWS access key ID in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L27
28patternName = github_pat severity = critical line = 28 matchedText = | GitHub...x` |
Critical
Secret Pattern

GitHub personal access token in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L28
31patternName = private_key_rsa severity = critical line = 31 matchedText = | PEM pr...-` |
Critical
Secret Pattern

RSA private key in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L31
dist/threadline/PipeSessionSpawner.jsView file
15*/ L16: import { execSync } from 'node:child_process'; L17: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

dist/threadline/PipeSessionSpawner.jsView on unpkg · L15
281// Spawn tmux session L282: execSync(`tmux new-session -d -s "${sessionName}" -x 200 -y 50 'bash -c "${shellCmd.replace(/"/g, '\\"')}"'`, { timeout: 10_000 }); L283: // Wait for session to be created
High
Shell

Package source references shell execution.

dist/threadline/PipeSessionSpawner.jsView on unpkg · L281
dist/memory/SemanticMemory.jsView file
428// better-sqlite3 loads its native binding at module-load time, so a L429: // NODE_MODULE_VERSION mismatch throws inside `await import(...)`. The L430: // healer rebuilds better-sqlite3 synchronously and retries once. See PROP-399.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/memory/SemanticMemory.jsView on unpkg · L428
skills/spec-converge/scripts/publish-spec-review.mjsView file
20* --spec docs/specs/FOO-SPEC.md \ L21: * --pr https://github.com/JKHeadley/instar/pull/670 \ L22: * --topic 12476 [--send] ... L30: import path from 'node:path'; L31: import { spawnSync } from 'node:child_process'; L32: import { checkEli16Overview } from '../../../scripts/eli16-overview-check.mjs'; L33: L34: export const API_PORT = Number(process.env.INSTAR_PORT) || 4042; L35:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

skills/spec-converge/scripts/publish-spec-review.mjsView on unpkg · L20
dist/core/upgradeAnnouncement.jsView file
19contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER_RE = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/core/upgradeAnnouncement.jsView on unpkg · L19
.claude/hooks/free-text-guard.shView file
path = .claude/hooks/free-text-guard.sh kind = payload_in_excluded_dir sizeBytes = 3888 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/hooks/free-text-guard.shView on unpkg
path = .claude/hooks/free-text-guard.sh kind = build_helper sizeBytes = 3888 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude/hooks/free-text-guard.shView on unpkg

Findings

5 Critical5 High5 Medium6 Low
CriticalCritical Secretskills/credential-leak-detector/SKILL.md
CriticalTrojan Source Unicodedist/core/upgradeAnnouncement.js
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/threadline/PipeSessionSpawner.js
HighShelldist/threadline/PipeSessionSpawner.js
HighSame File Env Network Executionskills/spec-converge/scripts/publish-spec-review.mjs
HighPayload In Excluded Dir.claude/hooks/free-text-guard.sh
MediumDynamic Requiredist/memory/SemanticMemory.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.claude/hooks/free-text-guard.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings