registry  /  toga-ai  /  1.0.261

toga-ai@1.0.261

TOGA Technology Team Claude Knowledge System — shared AI coding harness with skills, knowledge base CLI, and project installer for Claude Code.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a developer tool that installs a Claude Code harness into a project when explicitly run; install-time postinstall does not perform that mutation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
postinstall prints guidance; user runs toga-ai/npx toga-ai to install harness
Impact
Project .claude configuration is modified only during explicit installer use; no credential exfiltration or hidden payload confirmed
Mechanism
documented .claude harness installer with local hooks and knowledge files
Rationale
The scanner's AI-agent-control concern is explained by the package's advertised purpose and is not activated by postinstall; the actual project mutation happens only when the user invokes the installer. Source inspection did not find unconsented lifecycle control-surface mutation, exfiltration, or hidden malicious execution.
Evidence
package.jsonscripts/install.js.claude/settings.jsonscripts/hooks/kickoff-gate.jsscripts/hooks/block-destructive.jsscripts/hooks/post-edit-validate.jsskills/plan-ticket/scripts/clickup.jsskills/plan-ticket/scripts/talos.js
Network endpoints4
github.com/agilantsolutions/claudeapi.clickup.com/api/v2/task/api-writer.togahub.comapi.togaiq.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • scripts/install.js user-invoked install copies skills/agents/rules/hooks into project .claude/
  • scripts/install.js merges package .claude/settings.json hook entries into project settings
  • scripts/install.js can run npm view and git ls-remote/clone/pull against declared update sources
Evidence against
  • package.json postinstall only runs scripts/install.js --post-install, which prints setup guidance and exits before project mutation
  • scripts/install.js writes are aligned with package description as a Claude harness installer
  • Hook scripts inspected are local guard/reminder/validation helpers, not credential harvesters or exfiltration code
  • Network endpoints are package-aligned: npm registry lookup, GitHub repo update, ClickUp/Talos helpers requiring explicit user commands and env/local credentials
  • No obfuscated payload, eval/Function, native binary loading, persistence outside documented harness files, or destructive behavior found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 141 KB of source, external domains: api-writer.togahub.com, api.clickup.com, api.togaiq.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js --post-install
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js --post-install
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
1Install-time AI-agent control hijack evidence: L11: * 3. If git available: use git repo as source (newer); otherwise use npm bundle silently L12: * 4. Install from chosen source into project .claude/ L13: * ... L111: try { L112: fs.writeFileSync(CACHE_FILE, repoDir + '\n'); L113: } catch (e) { /* non-fatal */ } ... L125: try { L126: fs.mkdirSync(defaultDir, { recursive: true }); L127: ... L167: try { L168: fs.mkdirSync(path.dirname(defaultDir), { recursive: true }); L169: const result = spawnSync('git', ['clone', REPO_URL, defaultDir], { Payload evidence from .claude/settings.json: L1: { L2: "hooks": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L1
rules/common/security.mdView file
62patternName = generic_password severity = medium line = 62 matchedText = error_lo...rd);
Medium
Secret Pattern

Hardcoded password in rules/common/security.md

rules/common/security.mdView on unpkg · L62

Findings

1 Critical1 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternrules/common/security.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License