registry  /  sidewrite  /  0.1.0

sidewrite@0.1.0

Delegate the implement step to any anthropic-compatible provider (GLM/DeepSeek/…) running headless on its own API key, while planning and reviewing stay on your interactive Claude subscription. Ships a local SSE dashboard and installs as a global Claude C

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Sidewrite is a Claude Code extension/runner with package-owned commands, hooks, a local dashboard daemon, and external-provider execution. The risk is guarded agent extension lifecycle setup rather than confirmed malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit sidewrite install, sidewrite run/code, or installed Claude plugin session hooks
Impact
Adds global Claude plugin commands/hooks and can run delegated code tasks through user-configured third-party provider credentials.
Mechanism
user-invoked Claude plugin registration plus package-owned daemon/provider wrapper
Policy narrative
On npm install, the package only performs advisory preflight checks. If a user later runs sidewrite install, it registers a package-owned Claude Code plugin globally, starts a localhost dashboard daemon, and installs commands/hooks that can delegate implementation work to configured third-party Anthropic-compatible providers using stored provider credentials.
Rationale
Source inspection does not show unconsented npm lifecycle mutation of foreign AI-agent control surfaces, credential exfiltration, or silent remote code execution. Because it is a Claude Code extension that can install user-scope hooks and run headless provider-backed coding sessions, warn as guarded agent extension lifecycle risk.
Evidence
package.jsonplugin/scripts/bootstrap.cjsplugin/scripts/cli.cjsplugin/hooks/hooks.jsonplugin/.claude-plugin/plugin.jsonbin/ccxplugin/scripts/process-manager.cjsplugin/scripts/remote-config.cjsplugin/scripts/telemetry-reporter.cjsplugin/scripts/error-scrub.cjs~/.sidewrite-app~/.sidewrite/daemon.json~/.sidewrite/sidewrite.db~/.sidewrite/config.json~/.sidewrite/runs~/.claude-providers/<provider>.env~/.claude-<provider>~/.local/bin/sidewrite~/.local/bin/ccx
Network endpoints7
127.0.0.1:<port>registry.npmjs.org/sidewriteconfig.sidewrite.com/remote-config.jsonclaude.ai/install.shclaude.ai/install.ps1openrouter.ai/api/v1/modelsmodels.dev/api.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • plugin/.claude-plugin/plugin.json declares a Claude Code plugin with commands/skills/hooks.
  • plugin/scripts/cli.cjs install stages ~/.sidewrite-app, runs claude plugin marketplace add/install --scope user, symlinks CLIs, and starts a daemon.
  • plugin/hooks/hooks.json runs package scripts on Claude SessionStart/SessionEnd after plugin activation.
  • bin/ccx launches claude with provider-supplied ANTHROPIC_BASE_URL/AUTH_TOKEN and CLAUDE_CONFIG_DIR under ~/.claude-<provider>.
  • plugin/scripts/process-manager.cjs can spawn a detached localhost viewer daemon.
Evidence against
  • package.json postinstall only runs bootstrap.cjs preflight and exits 0; inspected bootstrap main prints checks and does not install or mutate Claude config.
  • Claude CLI install paths in bootstrap.cjs and doctor.cjs are consent-gated prompts, not silent lifecycle execution.
  • Plugin registration is in explicit sidewrite install CLI, not npm install/import-time execution.
  • ccx scrubs inherited environment with env -i and refuses api.anthropic.com provider URLs.
  • Remote config and telemetry code are default-off/opt-in or notify-only; no confirmed credential harvesting/exfiltration found.
  • error-scrub.cjs contains secret regexes/test literals for redaction, not embedded live secrets.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 617 KB of source, external domains: 127.0.0.1, api.test.com, claude.ai, collector.invalid, config.sidewrite.com, docs.anthropic.com, models.dev, openrouter.ai, registry.npmjs.org

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node plugin/scripts/bootstrap.cjs preflight || exit 0
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node plugin/scripts/bootstrap.cjs preflight || exit 0
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
plugin/scripts/error-scrub.cjsView file
285patternName = supabase_service_key severity = critical line = 285 matchedText = message:...dd',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

plugin/scripts/error-scrub.cjsView on unpkg · L285
285patternName = supabase_service_key severity = critical line = 285 matchedText = message:...dd',
Critical
Secret Pattern

Supabase service role key (JWT) in plugin/scripts/error-scrub.cjs

plugin/scripts/error-scrub.cjsView on unpkg · L285
plugin/scripts/onboarding.cjsView file
31const readline = require('node:readline'); L32: const { spawnSync } = require('node:child_process'); L33:
High
Child Process

Package source references child process execution.

plugin/scripts/onboarding.cjsView on unpkg · L31
plugin/scripts/commands.cjsView file
17* Pure data + a resolver. No filesystem/network I/O, no side effects — L18: * safe to `require()` from the bash dispatcher's inline `node -e`, from L19: * `cli.cjs`, and from a `__complete` shell-completion hook alike.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

plugin/scripts/commands.cjsView on unpkg · L17
plugin/scripts/updater.cjsView file
33const path = require('node:path'); L34: const https = require('node:https'); L35: const { execFileSync } = require('node:child_process'); L36: const os = require('node:os'); ... L46: const BODY_CAP = 512 * 1024; // 512 KB body cap L47: const HOME_DIR = process.env.HOME || os.homedir(); L48: const SIDEWRITE_DIR = path.join(HOME_DIR, '.sidewrite');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

plugin/scripts/updater.cjsView on unpkg · L33
plugin/scripts/process-manager.cjsView file
154if (h) { L155: process.stdout.write( L156: 'sidewrite viewer already running on http://127.0.0.1:' + info.port + '\n' L157: ); ... L169: L170: const child = spawn( L171: process.execPath,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

plugin/scripts/process-manager.cjsView on unpkg · L154
plugin/scripts/doctor.cjsView file
30const readline = require('readline'); L31: const { spawnSync } = require('child_process'); L32: L33: const GATE_CORE_PATH = path.join(__dirname, 'gate-core.cjs'); L34: ... L40: const INSTALL_CMD = { L41: darwin: 'curl -fsSL https://claude.ai/install.sh | bash', L42: linux: 'curl -fsSL https://claude.ai/install.sh | bash', ... L47: if (opts && opts.home) return opts.home; L48: return process.env.SIDEWRITE_HOME || path.join(process.env.HOME || os.homedir(), '.sidewrite'); L49: } ... L134: const input = (opts && opts.input) || process.stdin;
Critical
Download Execute

Source downloads or fetches remote code and executes it.

plugin/scripts/doctor.cjsView on unpkg · L30
30const readline = require('readline'); L31: const { spawnSync } = require('child_process'); L32: L33: const GATE_CORE_PATH = path.join(__dirname, 'gate-core.cjs'); L34: ... L40: const INSTALL_CMD = { L41: darwin: 'curl -fsSL https://claude.ai/install.sh | bash', L42: linux: 'curl -fsSL https://claude.ai/install.sh | bash', ... L47: if (opts && opts.home) return opts.home; L48: return process.env.SIDEWRITE_HOME || path.join(process.env.HOME || os.homedir(), '.sidewrite'); L49: } ... L134: const input = (opts && opts.input) || process.stdin;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

plugin/scripts/doctor.cjsView on unpkg · L30

Findings

3 Critical6 High5 Medium4 Low
CriticalCritical Secretplugin/scripts/error-scrub.cjs
CriticalDownload Executeplugin/scripts/doctor.cjs
CriticalSecret Patternplugin/scripts/error-scrub.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processplugin/scripts/onboarding.cjs
HighShell
HighSame File Env Network Executionplugin/scripts/updater.cjs
HighCommand Output Exfiltrationplugin/scripts/process-manager.cjs
HighSandbox Evasion Gated Capabilityplugin/scripts/doctor.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireplugin/scripts/commands.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings