LPM treats this as warn-only first-party agent extension lifecycle risk. No npm install-time attack is present. If the package's Claude Code plugin is explicitly installed, its lifecycle hooks invoke the package CLI and can launch a detached post-session processing task.
Package contains a critical-looking secret pattern.
src/eval/scenarios.jsView on unpkg · L135Stripe live secret key in src/eval/scenarios.js
src/eval/scenarios.jsView on unpkg · L135Package source references child process execution.
scripts/run-tests.mjsView on unpkg · L5Package source invokes a package manager install command at runtime.
src/commands/doctor.jsView on unpkg · L82This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/commands/pulse.jsView on unpkgPackage contains a critical-looking secret pattern.
src/eval/scenarios.jsView on unpkg · L135Stripe live secret key in src/eval/scenarios.js
src/eval/scenarios.jsView on unpkg · L135This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/commands/pulse.jsView on unpkgPackage source references child process execution.
scripts/run-tests.mjsView on unpkg · L5Package source invokes a package manager install command at runtime.
src/commands/doctor.jsView on unpkg · L82