registry  /  patchcord  /  0.5.124

patchcord@0.5.124

Cross-machine agent messaging for Claude Code and Codex

AI Security Review

scanned 10d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malware or unconsented npm lifecycle execution was found. The package is an AI-agent messaging platform whose explicit installer mutates multiple agent control surfaces and can auto-refresh a Claude project skill from Patchcord's service, creating agent extension lifecycle risk.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user invocation of patchcord/npx patchcord install, patchcord subscribe, or installed agent hooks
Impact
Can add Patchcord MCP/tooling, hooks, skills, permissions, and wake prompts to supported AI agents; server-provided custom skill text may be written into a Claude project skill.
Mechanism
Agent MCP/plugin/hook installer with Patchcord network backend and realtime listener
Policy narrative
An explicit Patchcord setup can install Patchcord integrations across AI agent tools, including global Codex/Kimi hooks and Claude plugin/permission changes. Once configured, hooks query Patchcord endpoints for inbox state; the Claude hook can also fetch server-provided skill text and write it into .claude/skills/patchcord-custom/SKILL.md. This is agent-control-surface mutation and standing remote capability, but it is package-aligned and user-invoked rather than npm lifecycle malware.
Rationale
Source inspection shows a legitimate but high-impact AI agent messaging installer with broad agent hook/skill/MCP writes and package-aligned network activity. Because activation is explicit CLI setup with no npm install hook and no credential exfiltration or arbitrary payload execution, warn rather than block.
Evidence
package.jsonbin/patchcord.mjsscripts/check-inbox.shscripts/subscribe.mjsscripts/codex-stop-hook.shscripts/kimi-stop-hook.shscripts/kimi-session-start.shhooks/hooks.json.claude-plugin/plugin.jsonplugins/opencode/patchcord.js~/.local/share/patchcord~/.local/bin/patchcord~/.claude/settings.json~/.claude/plugins/npm-cache/node_modules/patchcord~/.codex/hooks.json~/.codex/config.toml~/.codex/patchcord-stop-hook.sh~/.kimi-code/config.toml~/.kimi-code/patchcord-stop-hook.sh~/.kimi-code/patchcord-session-start.sh~/.kimi-code/patchcord-subscribe.sh.mcp.json.codex/config.toml.kimi-code/mcp.json.claude/skills/patchcord-custom/SKILL.md
Network endpoints3
api.patchcord.devmcp.patchcord.devpatchcord.dev

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/patchcord.mjs user-invoked install writes global agent integrations for Claude, Codex, Kimi, Cursor/Windsurf/Gemini/Hermes.
  • scripts/check-inbox.sh fetches /api/skills/{namespace}/{agent} and writes returned text to .claude/skills/patchcord-custom/SKILL.md.
  • bin/patchcord.mjs installs Codex Stop hook in ~/.codex/hooks.json and Kimi SessionStart/Stop hooks in ~/.kimi-code/config.toml.
  • bin/patchcord.mjs runs npm install -g patchcord@currentVersion and npx patchcord@latest for update command.
  • scripts/subscribe.mjs maintains a background realtime listener and can POST wake messages to a Hermes webhook.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hook; setup is activated by explicit patchcord CLI invocation.
  • Network calls are to package-aligned Patchcord endpoints for login, MCP, inbox, upload, realtime, provisioning, and schedules.
  • Token/config readers are scoped to Patchcord MCP entries and include project-scoped safeguards for several tools.
  • No evidence of credential harvesting beyond reading Patchcord bearer/account tokens from its own config locations.
  • No destructive behavior against arbitrary user files; removals target stale Patchcord artifacts/cache entries.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 175 KB of source, external domains: api.patchcord.dev, github.com, kimi.moonshot.cn, mcp.patchcord.dev, patchcord.dev

Source & flagged code

6 flagged · loading source
bin/patchcord.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = patchcord@0.5.123 matchedIdentity = npm:cGF0Y2hjb3Jk:0.5.123 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/patchcord.mjsView on unpkg
5import { fileURLToPath } from "url"; L6: import { execSync } from "child_process"; L7: import { homedir } from "os";
High
Child Process

Package source references child process execution.

bin/patchcord.mjsView on unpkg · L5
5import { fileURLToPath } from "url"; L6: import { execSync } from "child_process"; L7: import { homedir } from "os"; L8: L9: const HOME = homedir(); L10: ... L16: const { readFileSync: _rf } = await import("fs"); L17: const { version } = JSON.parse(_rf(join(__dirname, "..", "package.json"), "utf-8")); L18: process.stdout.write(`${version}\n`); L19: process.exit(0); ... L141: function _kimiContextRequested(options = {}) { L142: const forceTool = (process.env.PATCHCORD_FORCE_TOOL || process.env.PATCHCORD_TOOL || "").toLowerCase();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/patchcord.mjsView on unpkg · L5
1379if (cmd === "update" || cmd === "--update") { L1380: const { spawnSync: _spawn } = await import("child_process"); L1381: const r = _spawn("npx", ["--min-release-age=0", "patchcord@latest", "--update-only"], { stdio: "inherit" }); L1382: process.exit(r.status ?? (r.signal ? 1 : 0));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/patchcord.mjsView on unpkg · L1379
scripts/lib/ws.mjsView file
1// Minimal WebSocket client (RFC 6455 subset). L2: // Zero dependencies, stdlib only — TLS + HTTP/1.1 Upgrade + text frames. ... L18: const port = url.port ? Number(url.port) : isTls ? 443 : 80; L19: const key = randomBytes(16).toString("base64"); L20: const expectedAccept = createHash("sha1").update(key + GUID).digest("base64"); ... L49: try { L50: socket.write(encodeFrame(0x8, closePayload(code, reason), true)); L51: } catch (_) {}
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/lib/ws.mjsView on unpkg · L1
scripts/kimi-subscribe.shView file
path = scripts/kimi-subscribe.sh kind = build_helper sizeBytes = 4770 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/kimi-subscribe.shView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/patchcord.mjs
HighChild Processbin/patchcord.mjs
HighShell
HighSandbox Evasion Gated Capabilitybin/patchcord.mjs
HighRuntime Package Installbin/patchcord.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/kimi-subscribe.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoscripts/lib/ws.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings