registry  /  power-claude  /  3.0.49

power-claude@3.0.49

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No concrete malicious exfiltration or install-time payload was confirmed, but the package ships obfuscated executables and can mutate Claude agent hooks/settings during product setup. The unresolved risk is AI-agent control-surface modification plus credential/profile switching that is broadly package-aligned but high impact.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the CLI setup/commands, activates the VS Code extension, or enables/debugs hooks; npm postinstall references a missing script.
Impact
Can alter Claude hook behavior, inject additional context into sessions, switch local Claude credentials, and proxy Anthropic traffic.
Mechanism
obfuscated local Claude rotation proxy with Claude hook/settings mutation
Attack narrative
If enabled through setup or extension workflows, Power Claude installs Claude hooks and a local proxy that can inject control text into Claude sessions, rotate local credential profiles, and route Anthropic traffic. This matches the package’s advertised multi-account Claude rotation features, but the obfuscated bundles and agent-control hooks make the behavior difficult to audit and high risk.
Rationale
Static inspection found dangerous AI-agent hook/control-surface behavior and obfuscated executables, but the network and credential handling observed are package-aligned and no concrete exfiltration, persistence beyond documented hooks, or working install-time malicious payload was confirmed. Treat as suspicious/dangerous capability rather than proven malware.
Evidence
package.jsonbin/power-claude-cli.jsbin/power-claude-proxy.jsbin/power-claude-rotator.jsscripts/lib/first-run-setup.shscripts/hooks/rate-limit/debug-mode-init.shscripts/hooks/rate-limit/handler.shout/uninstall-hook.js~/.claude/settings.json~/.claude/.credentials.json~/.claude/state/rate-limits.json~/.claude/state/pending-recovery.json~/.power-claude/hooks/rate-limit/handler.sh~/.power-claude/hooks/lifecycle/*.sh~/.power-claude/profiles/*.json~/.power-claude/logs/*
Network endpoints6
api.anthropic.com/v1/messagesapi.anthropic.com/api/oauth/profileapi.neural-llm.com/telemetryneural-llm.com/api/v1/power-claude/manifest.jsonneural-llm.com/license/validate127.0.0.1:<port>

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/power-claude-cli.js, bin/power-claude-proxy.js, and bin/power-claude-rotator.js are heavily obfuscated one-line bundles.
  • scripts/lib/first-run-setup.sh can copy hooks and register a Stop hook into ~/.claude/settings.json by default when CLI setup runs.
  • scripts/hooks/rate-limit/debug-mode-init.sh injects instructions telling Claude to spawn a background subagent when debug mode is enabled.
  • scripts/hooks/rate-limit/handler.sh can replace ~/.claude/.credentials.json with selected profile credentials for account rotation.
  • bin/power-claude-proxy.js implements a local proxy and reads/writes ~/.power-claude and ~/.claude state.
  • package.json declares postinstall bash scripts/release/merge-drivers/register.sh, but that file is absent in the package.
Evidence against
  • No confirmed credential exfiltration endpoint found; Anthropic calls are aligned with Claude account rotation.
  • External endpoints in package metadata/settings are neural-llm.com/api.neural-llm.com for license/update/telemetry and api.anthropic.com for Claude API use.
  • package.json documents prompts/commands for hook installation and says activation prompts are dismissible before modifying ~/.claude.
  • scripts/lib/first-run-setup.sh supports --no-hooks and describes hook registration as CLI/first-run setup behavior.
  • out/uninstall-hook.js only runs bundled emergency/uninstall.sh with --keep-ext on VS Code uninstall.
  • Destructive rm -rf behavior appears limited to user-invoked emergency/uninstall cleanup paths.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 5 file(s), 1.45 MB of source, external domains: api.anthropic.com, neural-llm.com
Oversized source lightweight scan
bin/power-claude-cli.js2.18 MB file, sampled 256 KB
FilesystemNetworkChildProcessDynamicRequireObfuscatedHighEntropyStringsMinified
out/extension.js4.74 MB file, sampled 256 KB
FilesystemCryptoDynamicRequireObfuscatedHighEntropyStringsMinifiedUrlStringsneural-llm.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = bash scripts/release/merge-drivers/register.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash scripts/release/merge-drivers/register.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/power-claude-rotator.jsView file
1#!/usr/bin/env node L2: 'use strict';const _0x2226e4=_0x200e;(function(_0x26915e,_0x3715c3){const _0x15a5d8=_0x200e,_0x5b622d=_0x26915e();while(!![]){try{const _0x389e7d=parseInt(_0x15a5d8(0x3b7,'IKne'))/...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

bin/power-claude-rotator.jsView on unpkg · L1
1#!/usr/bin/env node L2: 'use strict';const _0x2226e4=_0x200e;(function(_0x26915e,_0x3715c3){const _0x15a5d8=_0x200e,_0x5b622d=_0x26915e();while(!![]){try{const _0x389e7d=parseInt(_0x15a5d8(0x3b7,'IKne'))/...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/power-claude-rotator.jsView on unpkg · L1
data/vendor/jq/jq-darwin-amd64View file
path = data/vendor/jq/jq-darwin-amd64 kind = native_binary sizeBytes = 851328 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

data/vendor/jq/jq-darwin-amd64View on unpkg
scripts/emergency/uninstall.shView file
path = scripts/emergency/uninstall.sh kind = build_helper sizeBytes = 17101 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/emergency/uninstall.shView on unpkg
bin/power-claude-cli.jsView file
path = bin/power-claude-cli.js kind = oversized_source_file sizeBytes = 2287554 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

bin/power-claude-cli.jsView on unpkg
path = bin/power-claude-cli.js kind = oversized_cli_entrypoint sizeBytes = 2287554 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

bin/power-claude-cli.jsView on unpkg
bin/power-claude-proxy.jsView file
matchType = previous_version_dangerous_delta matchedPackage = power-claude@3.0.46 matchedIdentity = npm:cG93ZXItY2xhdWRl:3.0.46 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/power-claude-proxy.jsView on unpkg

Findings

1 Critical4 High7 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/power-claude-proxy.js
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderbin/power-claude-rotator.js
HighObfuscated
HighOversized Source Filebin/power-claude-cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/power-claude-rotator.js
MediumNetwork
MediumShips Native Binarydata/vendor/jq/jq-darwin-amd64
MediumShips Build Helperscripts/emergency/uninstall.sh
MediumOversized Cli Entrypointbin/power-claude-cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License