registry  /  plumbbob  /  0.6.1

plumbbob@0.6.1

Attention-first build process: 12 skills + a CLI that keep you the decider — guidance, not enforcement.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package does expose explicit Claude plugin setup and user-invoked agent command execution, which is aligned with its documented CLI/plugin purpose.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user commands such as `plumbbob init` or `plumbbob agent run`; Claude PostToolUse hook only after plugin activation.
Impact
Can register this package as a Claude skills plugin and run local lint tools or user-defined agent commands when invoked, but no install-time hijack or exfiltration was found.
Mechanism
first-party Claude plugin link plus user-authored shell agent runner
Rationale
Source inspection shows explicit, first-party Claude plugin setup and user-invoked agent spawning, but no lifecycle execution, network exfiltration, credential theft, or unconsented broad control-surface mutation. Per policy this is a warning-level agent extension lifecycle risk rather than a publish block.
Evidence
package.jsonbin/plumbbobbin/pbdist/cli.jsdist/cli-core.jsdist/verbs/init.jsdist/verbs/agent.jsdist/lib/agents.jshooks/hooks.jsonhooks/post-edit.sh.claude-plugin/plugin.json~/.claude/skills/plumbbob.plumbbob/builds/*/build-log.md.plumbbob/builds/*/handoff.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/verbs/init.js links package into ~/.claude/skills/plumbbob on explicit `plumbbob init`.
  • hooks/hooks.json registers a Claude PostToolUse hook that runs hooks/post-edit.sh.
  • dist/lib/agents.js can spawn user-authored agent.json `command` with shell:true during `plumbbob agent run`.
  • hooks/post-edit.sh reads edited file path from hook input and runs local oxlint/ast-grep if present.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/plumbbob and bin/pb only exec node dist/cli.js.
  • No network calls or exfiltration endpoints found in inspected source.
  • init.js states and implements symlink setup only; it does not write Claude settings.json.
  • Agent execution is user-invoked via CLI and resolves project/personal agent manifests, not install-time.
  • No obfuscation, encoded payload, credential harvesting, or remote payload loading observed.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 152 KB of source

Source & flagged code

2 flagged · loading source
hooks/post-edit.shView file
path = hooks/post-edit.sh kind = build_helper sizeBytes = 2405 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/post-edit.shView on unpkg
dist/lib/agents.jsView file
matchType = previous_version_dangerous_delta matchedPackage = plumbbob@0.5.3 matchedIdentity = npm:cGx1bWJib2I:0.5.3 similarity = 0.636 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/agents.jsView on unpkg

Findings

1 High3 Medium3 Low
HighPrevious Version Dangerous Deltadist/lib/agents.js
MediumEnvironment Vars
MediumShips Build Helperhooks/post-edit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings