AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The runtime can manage Claude Code credentials and hook configuration after extension/CLI use. The package's npm postinstall does not perform those actions because its referenced scripts are absent.
Decision evidence
public snapshot- `bin/power-claude-*.js` and `out/extension.js` are heavily obfuscated, limiting auditability.
- `out/extension.js` documents atomic writes to `~/.claude/.credentials.json` to rotate active accounts.
- `out/extension.js` recognizes and manages Claude Code hook events including `PreToolUse` and `PostToolUse`.
- `package.json` activates the extension on `onStartupFinished`; it also enables telemetry by default.
- `data/runtime/engine.enc` is an opaque high-entropy runtime blob with no readable source explanation.
- `package.json` postinstall only invokes two absent `scripts/...` paths, so the published package's install hook is a no-op.
- `media/walkthrough/install.md` says hooks are created by explicit `pc install`, not npm installation.
- `media/walkthrough/auto-rotation-engine.md` requires `pc rotation engine enable --i-understand` for automatic rotation.
- The declared remote services are package-aligned: Anthropic OAuth/API and Power Claude telemetry/manifest hosts.
- Vendored native files are documented jq 1.7.1 binaries with per-platform SHA-256 values in `data/vendor/jq/manifest.json`.
Source & flagged code
11 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/power-claude-rotator.jsView on unpkgPackage source references child process execution.
bin/power-claude-rotator.jsView on unpkg · L1Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
bin/power-claude-rotator.jsView on unpkg · L1Package source references dynamic require/import behavior.
bin/power-claude-rotator.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/power-claude-proxy.jsView on unpkg · L1Package ships native binary artifacts.
data/vendor/jq/jq-darwin-amd64View on unpkgPackage ships high-entropy non-source blobs.
data/runtime/engine.encView on unpkgPackage contains source files above the static scanner size ceiling.
bin/power-claude-cli.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
bin/power-claude-cli.jsView on unpkg