AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package automatically mutates a foreign Claude Code control surface at install time. It registers a persistent Stop hook that executes package code after every Claude Code turn.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall; later Claude Code Stop events run the hook
Impact
Persistent AI-agent control-surface mutation; installed hook executes notification code after every Claude turn
Mechanism
unconsented lifecycle write to ~/.claude/settings.json Stop hook
Policy narrative
On npm install, package.json runs scripts/postinstall.js, which imports settings.addHook(). That helper reads or creates ~/.claude/settings.json, backs it up, and appends a Claude Code Stop hook whose command is node "<package>/scripts/notify.js". The hook persists beyond installation and runs after Claude Code turns, where notify.js spawns macOS notification tooling. No data theft or network activity was found, but the lifecycle-triggered write to Claude Code settings is an unconsented foreign AI-agent control-surface mutation.
Rationale
Although the payload is a notification feature and no exfiltration is present, the package uses an npm postinstall hook to modify ~/.claude/settings.json and register Claude Code execution without explicit user invocation. Under the install control surface policy, this is blockable AI-agent control hijack.
Evidence
package.jsonscripts/postinstall.jsscripts/settings.jsscripts/notify.jsbin/cli.jsindex.js~/.claude/settings.json~/.claude/settings.json.nathangong.bak~/.claude/settings.json.nathangong.corrupt.bak
Decision evidence
public snapshotAI called this Malicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json runs postinstall and preuninstall lifecycle scripts.
- scripts/postinstall.js calls addHook() automatically during npm install.
- scripts/settings.js writes ~/.claude/settings.json and appends a Claude Code Stop hook command to run package notify.js after every turn.
- scripts/notify.js invokes macOS notifications via node-notifier or detached osascript on each Claude Stop event.
Evidence against
- No network endpoints or exfiltration code found in inspected source.
- index.js only enumerates bundled image assets.
- bin/cli.js install/uninstall/test paths are user-invoked and package-aligned.
- settings.js backs up existing Claude settings and only removes hooks matching nathangong notify.js.
Behavioral surface
ChildProcessFilesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem