registry  /  nathangong  /  0.4.0

nathangong@0.4.0

Whip-a-Nathan: OpenWhip cursor + Nathan slides in from the side after every Claude Code turn.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code mutates the user's Claude Code settings to add an AI-agent Stop hook. The hook persists outside npm install and executes package code after Claude Code turns.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install / postinstall, then Claude Code Stop hook events
Impact
Persistent Claude Code hook execution from installed package code on each agent turn
Mechanism
unconsented lifecycle AI-agent control-surface mutation
Policy narrative
During npm install, postinstall.js imports settings.js and calls addHook(), which backs up and rewrites ~/.claude/settings.json. It appends a Claude Code Stop hook whose command runs this package's scripts/notify.js. That hook later spawns Electron, a bundled native binary, or osascript to display the package UI after Claude Code turns. This is disclosed in docs, but it is still an automatic lifecycle mutation of an AI-agent control surface rather than an explicit CLI-only opt-in.
Rationale
Source inspection confirms install-time, persistent mutation of Claude Code hook settings, which fits the firewall's malicious boundary for unconsented lifecycle AI-agent control-surface mutation. No exfiltration or network behavior was found, so the block is based on the AI-agent hook persistence mechanism. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.jsscripts/settings.jsscripts/notify.jsscripts/preuninstall.jsbin/cli.jswhip/main.js~/.claude/settings.json~/.claude/settings.json.nathangong.bak~/.claude/settings.json.nathangong.corrupt.bak/tmp/nathangong-session.lock

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js calls addHook() automatically during npm install
  • scripts/settings.js writes ~/.claude/settings.json and appends hooks.Stop command
  • Injected hook runs node scripts/notify.js after every Claude Code Stop event
  • scripts/notify.js spawns Electron/native popup/osascript from the AI-agent hook
Evidence against
  • README.md and INSTALL.md disclose the Claude Code Stop hook behavior
  • No network endpoints or credential exfiltration found by source search
  • Hook payload appears cosmetic notification/overlay behavior
  • preuninstall.js and CLI can remove the package hook
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 13.8 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
native/build.shView file
path = native/build.sh kind = build_helper sizeBytes = 824 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

native/build.shView on unpkg
whip/sounds/A.mp3View file
path = whip/sounds/A.mp3 kind = high_entropy_blob sizeBytes = 49581 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

whip/sounds/A.mp3View on unpkg
scripts/notify.jsView file
matchType = previous_version_dangerous_delta matchedPackage = nathangong@0.1.0 matchedIdentity = npm:bmF0aGFuZ29uZw:0.1.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

scripts/notify.jsView on unpkg

Findings

1 Critical2 High4 Medium3 Low
CriticalPrevious Version Dangerous Deltascripts/notify.js
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobwhip/sounds/A.mp3
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helpernative/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem