registry  /  instar  /  1.3.763

instar@1.3.763

Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The main residual risk is install-time dependency repair and a user-invoked AI-agent platform that can install its own project hooks and spawn agent sessions.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install for postinstall repair; user-invoked instar init/setup/server for agent features
Impact
May modify better-sqlite3 native files during install; agent-control files are created only through package CLI/setup flows.
Mechanism
dependency native-binary repair plus explicit AI-agent scaffolding/runtime
Rationale
Static inspection found high-risk primitives, but they are aligned with an agent platform and are primarily user-invoked; the only lifecycle behavior repairs a declared native dependency rather than hijacking broad AI-agent control surfaces. Because install-time network/build mutation exists, this is best treated as a warning-level install hook risk rather than malicious malware.
Evidence
package.jsonscripts/fix-better-sqlite3.cjsdist/commands/init.jsdist/core/frameworkSessionLaunch.jsdist/commands/setup-wizard/codex-driver.jsskills/credential-leak-detector/SKILL.md.claude/hooks/free-text-guard.shnode_modules/better-sqlite3/.instar-fix-state.jsonnode_modules/better-sqlite3/build.instar/config.json.claude/settings.json.claude/hooksCLAUDE.md
Network endpoints5
github.com/WiseLibs/better-sqlite3/releases/download/instar.shapi.telegram.orgslack.comapi.slack.com

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • postinstall runs scripts/fix-better-sqlite3.cjs automatically and may curl a GitHub tarball, extract it, or run npm rebuild inside better-sqlite3.
  • Runtime/CLI contains agent orchestration that can spawn Claude/Codex sessions with permission-bypass flags and write .claude/.instar project files.
  • Package ships Claude skills/hooks content under .claude/ and skills/ that instruct users to install hooks/settings.
Evidence against
  • postinstall is scoped to repairing the package dependency better-sqlite3; no writes to foreign AI-agent config or project .claude surfaces were found in lifecycle code.
  • AI-agent hooks, CLAUDE.md, .instar, and settings writes are in explicit CLI init/setup/runtime paths, not import-time or npm install-time execution.
  • Scanner secret hit is documentation/example regex text in skills/credential-leak-detector/SKILL.md, not a real embedded credential.
  • Trojan-source hint in dist/core/upgradeAnnouncement.js did not reveal bidi/invisible control characters in inspected source.
  • Network endpoints observed are package-aligned or dependency-repair endpoints: github.com/WiseLibs/better-sqlite3, instar.sh, localhost, Telegram/Slack setup URLs.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,594 file(s), 20.7 MB of source, external domains: 127.0.0.1, abc123.trycloudflare.com, api.anthropic.com, api.cloudflare.com, api.github.com, api.groq.com, api.mail.tm, api.openai.com, api.slack.com, api.telegra.ph, api.telegram.org, blob.vercel-storage.com, bot-me.ai, brew.sh, cli.github.com, console.cloud.google.com, dawn.bot-me.ai, docs.anthropic.com, en.wikipedia.org, feedback.dawn-tunnel.dev, files.slack.com, git-scm.com, github.com, graph.facebook.com, instar-telemetry.sagemind-ai.workers.dev, instar.sh, myapp.vercel.app, nodejs.org, platform.claude.com, raw.githubusercontent.com, sagemindai.io, sentry.io, slack.com, staging.myapp.com, telegra.ph, threadline-relay.fly.dev, web.telegram.org, www.apple.com, www.npmjs.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-better-sqlite3.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
skills/credential-leak-detector/SKILL.mdView file
27patternName = aws_access_key severity = critical line = 27 matchedText = | AWS ac...F` |
Critical
Critical Secret

Package contains a critical-looking secret pattern.

skills/credential-leak-detector/SKILL.mdView on unpkg · L27
27patternName = aws_access_key severity = critical line = 27 matchedText = | AWS ac...F` |
Critical
Secret Pattern

AWS access key ID in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L27
28patternName = github_pat severity = critical line = 28 matchedText = | GitHub...x` |
Critical
Secret Pattern

GitHub personal access token in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L28
31patternName = private_key_rsa severity = critical line = 31 matchedText = | PEM pr...-` |
Critical
Secret Pattern

RSA private key in skills/credential-leak-detector/SKILL.md

skills/credential-leak-detector/SKILL.mdView on unpkg · L31
dist/threadline/PipeSessionSpawner.jsView file
15*/ L16: import { execSync } from 'node:child_process'; L17: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

dist/threadline/PipeSessionSpawner.jsView on unpkg · L15
281// Spawn tmux session L282: execSync(`tmux new-session -d -s "${sessionName}" -x 200 -y 50 'bash -c "${shellCmd.replace(/"/g, '\\"')}"'`, { timeout: 10_000 }); L283: // Wait for session to be created
High
Shell

Package source references shell execution.

dist/threadline/PipeSessionSpawner.jsView on unpkg · L281
dist/memory/SemanticMemory.jsView file
428// better-sqlite3 loads its native binding at module-load time, so a L429: // NODE_MODULE_VERSION mismatch throws inside `await import(...)`. The L430: // healer rebuilds better-sqlite3 synchronously and retries once. See PROP-399.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/memory/SemanticMemory.jsView on unpkg · L428
skills/spec-converge/scripts/publish-spec-review.mjsView file
20* --spec docs/specs/FOO-SPEC.md \ L21: * --pr https://github.com/JKHeadley/instar/pull/670 \ L22: * --topic 12476 [--send] ... L30: import path from 'node:path'; L31: import { spawnSync } from 'node:child_process'; L32: import { checkEli16Overview } from '../../../scripts/eli16-overview-check.mjs'; L33: L34: export const API_PORT = Number(process.env.INSTAR_PORT) || 4042; L35:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

skills/spec-converge/scripts/publish-spec-review.mjsView on unpkg · L20
dist/core/upgradeAnnouncement.jsView file
19contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER_RE = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/core/upgradeAnnouncement.jsView on unpkg · L19
.claude/hooks/free-text-guard.shView file
path = .claude/hooks/free-text-guard.sh kind = payload_in_excluded_dir sizeBytes = 3888 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/hooks/free-text-guard.shView on unpkg
path = .claude/hooks/free-text-guard.sh kind = build_helper sizeBytes = 3888 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude/hooks/free-text-guard.shView on unpkg

Findings

5 Critical5 High5 Medium6 Low
CriticalCritical Secretskills/credential-leak-detector/SKILL.md
CriticalTrojan Source Unicodedist/core/upgradeAnnouncement.js
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
CriticalSecret Patternskills/credential-leak-detector/SKILL.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/threadline/PipeSessionSpawner.js
HighShelldist/threadline/PipeSessionSpawner.js
HighSame File Env Network Executionskills/spec-converge/scripts/publish-spec-review.mjs
HighPayload In Excluded Dir.claude/hooks/free-text-guard.sh
MediumDynamic Requiredist/memory/SemanticMemory.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.claude/hooks/free-text-guard.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings