AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package ships a Claude Code plugin whose configured hooks run on tool events and may invoke the latest Swarmdo package through npx. Its separate interactive installer can add a first-party MCP server to the user's Claude configuration.
Decision evidence
public snapshot- `.claude-plugin/hooks/hooks.json` registers Claude Code PreToolUse/PostToolUse hooks.
- `.claude-plugin/scripts/swarmdo-hook.cjs` forwards hook stdin to `swarmdo hooks` and falls back to `npx --yes swarmdo@latest`.
- `.claude-plugin/scripts/install.sh` interactively writes `~/.claude/settings.json` only when the user selects MCP setup.
- `v3/@swarmdo/cli/scripts/postinstall.cjs` mutates reachable `agentdb` dependency directories at install time.
- `v3/@swarmdo/browser/package.json` contains a nested postinstall that attempts global `agent-browser` installation.
- Root `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `bin/cli.js` only resolves and imports the packaged CLI entrypoint.
- Plugin installation is an explicit interactive script, not an npm lifecycle action.
- Inspected postinstall patches only `agentdb` layout/exports; no credential collection, exfiltration, or AI-agent config write was found.
- No confirmed malicious payload, destructive action, or unauthorized remote command chain was found in inspected files.
Source & flagged code
29 flagged · loading sourcePackage contains a critical-looking secret pattern.
v3/@swarmdo/guidance/dist/manifest-validator.jsView on unpkg · L702RSA private key in v3/@swarmdo/guidance/dist/manifest-validator.js
v3/@swarmdo/guidance/dist/manifest-validator.jsView on unpkg · L702Package source references child process execution.
v3/@swarmdo/swarm/dist/coordination/agent-registry.jsView on unpkg · L51Package source references shell execution.
v3/@swarmdo/security/dist/safe-executor.jsView on unpkg · L85Hardcoded password in v3/@swarmdo/guidance/dist/analyzer.js
v3/@swarmdo/guidance/dist/analyzer.jsView on unpkg · L1344Hardcoded password in v3/@swarmdo/guidance/dist/analyzer.js
v3/@swarmdo/guidance/dist/analyzer.jsView on unpkg · L2127Package source references a known benign dynamic code generation pattern.
v3/@swarmdo/guidance/dist/analyzer.jsView on unpkg · L2103Package source references dynamic require/import behavior.
bin/cli.jsView on unpkg · L10Source writes installer persistence such as shell profile or service configuration.
v3/@swarmdo/cli/dist/src/init/statusline-generator.jsView on unpkg · L18A single source file combines environment access, network access, and code or shell execution; review context before blocking.
v3/@swarmdo/cli/dist/src/benchmarks/gaia-tools/grounded_query.js#virtual:normalized:round1View on unpkg · L49Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
v3/vendor/swarmvector/bin/cli.jsView on unpkg · L3Package source invokes a package manager install command at runtime.
v3/@swarmdo/codex/dist/initializer.jsView on unpkg · L300Package ships native binary artifacts.
v3/@swarmvector/attention/platforms/darwin-arm64/swarmvector-attention.nodeView on unpkgPackage ships WebAssembly modules.
v3/@swarmvector/swarmllm-wasm/swarmllm_wasm_bg.wasmView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/statusline-command.shView on unpkgPackage ships non-JavaScript build or shell helper files.
.claude/statusline-command.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
v3/@swarmdo/cli/dist/src/changelog/changelog.jsView on unpkgHardcoded password in .claude/agents/core/reviewer.md
.claude/agents/core/reviewer.mdView on unpkg · L67Hardcoded password in .claude/agents/sparc/refinement.md
.claude/agents/sparc/refinement.mdView on unpkg · L41Hardcoded password in .claude/agents/sparc/refinement.md
.claude/agents/sparc/refinement.mdView on unpkg · L69Hardcoded password in .claude/agents/sparc/refinement.md
.claude/agents/sparc/refinement.mdView on unpkg · L245Hardcoded password in v3/@swarmdo/plugins/dist/integrations/swarmvector/swarmvector-bridge.js
v3/@swarmdo/plugins/dist/integrations/swarmvector/swarmvector-bridge.jsView on unpkg · L809Hardcoded password in v3/@swarmdo/plugins/dist/integrations/swarmvector/swarmvector-bridge.js
v3/@swarmdo/plugins/dist/integrations/swarmvector/swarmvector-bridge.jsView on unpkg · L1662Hardcoded password in v3/@swarmdo/plugins/dist/integrations/swarmvector/swarmvector-bridge.d.ts
v3/@swarmdo/plugins/dist/integrations/swarmvector/swarmvector-bridge.d.tsView on unpkg · L58Hardcoded password in v3/@swarmdo/plugins/dist/integrations/swarmvector/swarmvector-bridge.d.ts
v3/@swarmdo/plugins/dist/integrations/swarmvector/swarmvector-bridge.d.tsView on unpkg · L194Hardcoded password in v3/@swarmdo/aidefence/README.md
v3/@swarmdo/aidefence/README.mdView on unpkg · L337Hardcoded password in v3/@swarmdo/cli/.claude/agents/sparc/refinement.md
v3/@swarmdo/cli/.claude/agents/sparc/refinement.mdView on unpkg · L339Hardcoded password in v3/@swarmdo/cli/.claude/agents/sparc/refinement.md
v3/@swarmdo/cli/.claude/agents/sparc/refinement.mdView on unpkg · L367Hardcoded password in v3/@swarmdo/cli/.claude/agents/sparc/refinement.md
v3/@swarmdo/cli/.claude/agents/sparc/refinement.mdView on unpkg · L543