registry  /  sidewrite  /  0.3.0

sidewrite@0.3.0

Delegate the implement step to any anthropic-compatible provider (GLM/DeepSeek/…) running headless on its own API key, while planning and reviewing stay on your interactive Claude subscription. Ships a local SSE dashboard and installs as a global Claude C

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time behavior was found. The real risk is an explicit Claude Code extension lifecycle tool that can alter user and per-provider agent configuration when invoked.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `sidewrite install`, `sidewrite code`, `sidewrite statusline install`, or enables telemetry/remote config.
Impact
Can register a first-party Claude plugin, add MCP tools to isolated provider stations, and optionally send scrubbed telemetry when enabled.
Mechanism
Explicit Claude Code plugin/config setup with local daemon and optional telemetry/remote-config egress
Rationale
Static source inspection supports a warning for agent-extension lifecycle risk, not a publish block: dangerous capabilities are package-aligned and user-invoked, while install-time behavior is advisory preflight only. Scanner secret and download-execute hits are mostly scrubber test patterns and consent-gated installer/remediation code.
Evidence
package.jsonplugin/scripts/bootstrap.cjsplugin/scripts/cli.cjsbin/sidewritebin/ccxplugin/scripts/viewer-daemon.cjsplugin/scripts/telemetry-reporter.cjsplugin/scripts/remote-config.cjsplugin/scripts/gate-core.cjs~/.sidewrite-app~/.local/bin/sidewrite~/.local/bin/ccx~/.sidewrite/config.json~/.sidewrite/sidewrite.db~/.sidewrite/telemetry-queue~/.claude-providers/<provider>.env~/.claude-<provider>/settings.json~/.claude/settings.json
Network endpoints7
sidewrite.com/api/telemetrysidewrite.vercel.app/api/remote-configclaude.ai/install.shclaude.ai/install.ps1mcp.context7.com/mcphtml.duckduckgo.com/html/registry.npmjs.org/sidewrite

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Explicit `sidewrite install` stages `~/.sidewrite-app`, symlinks CLIs, and runs `claude plugin marketplace add` plus `plugin install` in `plugin/scripts/cli.cjs`.
  • `bin/sidewrite` user-invoked `code` path writes per-provider Claude config under `~/.claude-<provider>` and registers MCP tools.
  • `sidewrite statusline install` writes `~/.claude/settings.json` in `plugin/scripts/cli.cjs`.
  • Opt-in network egress exists for telemetry and remote config endpoints.
Evidence against
  • `package.json` postinstall only runs `bootstrap.cjs preflight || exit 0`.
  • `plugin/scripts/bootstrap.cjs` preflight checks environment and prints fixes; it does not install or write Claude config during postinstall.
  • Claude Code install/remediation in `bootstrap.cjs` and `doctor.cjs` is consent-gated or explicit user-command only.
  • Telemetry defaults to off and scrub/enqueue happens before flush in `viewer-daemon.cjs` and `telemetry-reporter.cjs`.
  • Provider credentials are stored locally under `~/.claude-providers` with 0600 writes; no credential exfiltration found.
  • Remote config is disabled by default and rejects non-HTTPS/api.anthropic.com URLs.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 65 file(s), 911 KB of source, external domains: 127.0.0.1, api.test.com, claude.ai, collector.invalid, docs.anthropic.com, github.com, html.duckduckgo.com, mcp.context7.com, models.dev, openrouter.ai, registry.npmjs.org, sidewrite.com, sidewrite.vercel.app

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node plugin/scripts/bootstrap.cjs preflight || exit 0
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node plugin/scripts/bootstrap.cjs preflight || exit 0
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
plugin/scripts/error-scrub.cjsView file
285patternName = supabase_service_key severity = critical line = 285 matchedText = message:...dd',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

plugin/scripts/error-scrub.cjsView on unpkg · L285
285patternName = supabase_service_key severity = critical line = 285 matchedText = message:...dd',
Critical
Secret Pattern

Supabase service role key (JWT) in plugin/scripts/error-scrub.cjs

plugin/scripts/error-scrub.cjsView on unpkg · L285
plugin/scripts/onboarding.cjsView file
31const readline = require('node:readline'); L32: const { spawnSync } = require('node:child_process'); L33:
High
Child Process

Package source references child process execution.

plugin/scripts/onboarding.cjsView on unpkg · L31
plugin/scripts/commands.cjsView file
17* Pure data + a resolver. No filesystem/network I/O, no side effects — L18: * safe to `require()` from the bash dispatcher's inline `node -e`, from L19: * `cli.cjs`, and from a `__complete` shell-completion hook alike.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

plugin/scripts/commands.cjsView on unpkg · L17
plugin/scripts/pool-compact.cjsView file
26try { L27: const configPath = path.join(process.env.HOME || process.env.USERPROFILE || '', '.sidewrite', 'config.json'); L28: if (!fs.existsSync(configPath)) return {}; L29: return JSON.parse(fs.readFileSync(configPath, 'utf-8')) || {}; L30: } catch (err) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

plugin/scripts/pool-compact.cjsView on unpkg · L26
plugin/scripts/updater.cjsView file
33const path = require('node:path'); L34: const https = require('node:https'); L35: const { execFileSync } = require('node:child_process'); L36: const os = require('node:os'); ... L46: const BODY_CAP = 512 * 1024; // 512 KB body cap L47: const HOME_DIR = process.env.HOME || os.homedir(); L48: const SIDEWRITE_DIR = path.join(HOME_DIR, '.sidewrite');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

plugin/scripts/updater.cjsView on unpkg · L33
plugin/scripts/process-manager.cjsView file
178process.stdout.write( L179: 'sidewrite viewer already running on http://127.0.0.1:' + info.port + '\n' L180: ); ... L186: if (!fs.existsSync(DAEMON_PATH)) { L187: process.stderr.write( L188: 'sidewrite: cannot start viewer daemon; not found at ' + DAEMON_PATH + '\n' ... L193: const logFd = openDaemonLogFd(); L194: const child = spawn( L195: process.execPath,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

plugin/scripts/process-manager.cjsView on unpkg · L178
plugin/scripts/doctor.cjsView file
30const readline = require('readline'); L31: const { spawnSync } = require('child_process'); L32: L33: const GATE_CORE_PATH = path.join(__dirname, 'gate-core.cjs'); L34: ... L40: const INSTALL_CMD = { L41: darwin: 'curl -fsSL https://claude.ai/install.sh | bash', L42: linux: 'curl -fsSL https://claude.ai/install.sh | bash', ... L47: if (opts && opts.home) return opts.home; L48: return process.env.SIDEWRITE_HOME || path.join(process.env.HOME || os.homedir(), '.sidewrite'); L49: } ... L134: const input = (opts && opts.input) || process.stdin;
Critical
Download Execute

Source downloads or fetches remote code and executes it.

plugin/scripts/doctor.cjsView on unpkg · L30
30const readline = require('readline'); L31: const { spawnSync } = require('child_process'); L32: L33: const GATE_CORE_PATH = path.join(__dirname, 'gate-core.cjs'); L34: ... L40: const INSTALL_CMD = { L41: darwin: 'curl -fsSL https://claude.ai/install.sh | bash', L42: linux: 'curl -fsSL https://claude.ai/install.sh | bash', ... L47: if (opts && opts.home) return opts.home; L48: return process.env.SIDEWRITE_HOME || path.join(process.env.HOME || os.homedir(), '.sidewrite'); L49: } ... L134: const input = (opts && opts.input) || process.stdin;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

plugin/scripts/doctor.cjsView on unpkg · L30
plugin/scripts/viewer-daemon.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = sidewrite@0.2.0 matchedIdentity = npm:c2lkZXdyaXRl:0.2.0 similarity = 0.831 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

plugin/scripts/viewer-daemon.cjsView on unpkg

Findings

4 Critical6 High5 Medium5 Low
CriticalCritical Secretplugin/scripts/error-scrub.cjs
CriticalDownload Executeplugin/scripts/doctor.cjs
CriticalPrevious Version Dangerous Deltaplugin/scripts/viewer-daemon.cjs
CriticalSecret Patternplugin/scripts/error-scrub.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processplugin/scripts/onboarding.cjs
HighShell
HighSame File Env Network Executionplugin/scripts/updater.cjs
HighCommand Output Exfiltrationplugin/scripts/process-manager.cjs
HighSandbox Evasion Gated Capabilityplugin/scripts/doctor.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireplugin/scripts/commands.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoplugin/scripts/pool-compact.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings