registry  /  toga-ai  /  1.0.259

toga-ai@1.0.259

TOGA Technology Team Claude Knowledge System — shared AI coding harness with skills, knowledge base CLI, and project installer for Claude Code.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI coding harness installer with user-invoked .claude integration and helper scripts for team workflows.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall notice; user runs toga-ai/npx toga-ai for actual installation
Impact
Installs team Claude Code skills, agents, hooks, settings, knowledge, and examples when explicitly invoked; no unconsented install-time mutation confirmed.
Mechanism
project harness bootstrap, knowledge CLI, optional API helper scripts
Rationale
Static inspection found risky primitives, but they are aligned with the package's stated Claude harness purpose and are either postinstall notices or explicit user-invoked setup/helper flows. No concrete malicious lifecycle behavior, credential theft, exfiltration, destructive action, or unconsented AI-agent control-surface mutation was confirmed.
Evidence
package.jsonscripts/install.jsknowledge.js.claude/settings.jsonscripts/hooks/kickoff-gate.jsscripts/hooks/post-edit-validate.jsskills/plan-ticket/scripts/clickup.jsskills/plan-ticket/scripts/talos.jsmcp-configs/mcp-servers.json~/.toga-tech-path~/toga-tech<project>/.claude/skills<project>/.claude/agents/toga<project>/.claude/hooks/toga<project>/.claude/settings.json<project>/.claude/knowledge<project>/CLAUDE.md~/.talos/credentials.json
Network endpoints4
github.com/agilantsolutions/claudeapi.clickup.com/api/v2api-writer.togahub.comapi.togaiq.com

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install.js --post-install
  • scripts/install.js user-invoked path writes project .claude skills/agents/hooks/settings/knowledge
  • scripts/install.js can run npm view and git ls-remote/clone/pull against declared repo
  • skills/plan-ticket/scripts/talos.js stores user-provided tokens in ~/.talos/credentials.json
Evidence against
  • postinstall branch only prints first-time setup and exits before .claude writes
  • AI-agent hook/settings mutation happens on explicit toga-ai/npx invocation, matching package description
  • No install-time credential harvesting, filesystem scanning, exfiltration, persistence, or destructive behavior found
  • Network endpoints are package-aligned: npm registry, declared GitHub repo, ClickUp/Talos helper APIs
  • mcp-configs/mcp-servers.json is an example template, not automatically merged into .mcp.json
  • Hook scripts are guard/reminder/validation logic and do not exfiltrate secrets
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 141 KB of source, external domains: api-writer.togahub.com, api.clickup.com, api.togaiq.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js --post-install
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js --post-install
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
1Install-time AI-agent control hijack evidence: L11: * 3. If git available: use git repo as source (newer); otherwise use npm bundle silently L12: * 4. Install from chosen source into project .claude/ L13: * ... L111: try { L112: fs.writeFileSync(CACHE_FILE, repoDir + '\n'); L113: } catch (e) { /* non-fatal */ } ... L125: try { L126: fs.mkdirSync(defaultDir, { recursive: true }); L127: ... L167: try { L168: fs.mkdirSync(path.dirname(defaultDir), { recursive: true }); L169: const result = spawnSync('git', ['clone', REPO_URL, defaultDir], { Payload evidence from .claude/settings.json: L1: { L2: "hooks": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L1
rules/common/security.mdView file
62patternName = generic_password severity = medium line = 62 matchedText = error_lo...rd);
Medium
Secret Pattern

Hardcoded password in rules/common/security.md

rules/common/security.mdView on unpkg · L62

Findings

1 Critical1 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternrules/common/security.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License