registry  /  toga-ai  /  1.0.263

toga-ai@1.0.263

TOGA Technology Team Claude Knowledge System — shared AI coding harness with skills, knowledge base CLI, and project installer for Claude Code.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a Claude Code team harness that writes .claude workflow files only during explicit CLI use; postinstall only displays instructions.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall shows instructions; user runs toga-ai/npx toga-ai to install harness
Impact
Project .claude configuration is modified as advertised when explicitly invoked; no unconsented install-time control hijack found.
Mechanism
project-local Claude harness bootstrap and knowledge sync
Rationale
The risky primitives are real, but source inspection shows they support an advertised, user-invoked Claude harness installer; the lifecycle hook exits before project mutation. I found no credential harvesting, hidden payload execution, destructive behavior, or unconsented install-time AI-agent control-surface mutation.
Evidence
package.jsonscripts/install.js.claude/settings.jsonscripts/hooks/kickoff-gate.jsscripts/hooks/block-destructive.jsscripts/hooks/session-start.jsscripts/hooks/post-edit-validate.jsknowledge.jssync-skills.js.claude/skills/./.claude/rules/toga/common/./.claude/agents/toga/./.claude/hooks/toga/./.claude/knowledge.js./.claude/settings.json./.claude/mcp-servers.example.json./.claude/knowledge/./CLAUDE.md./.claude/toga-ai.version~/.toga-tech-path~/toga-tech
Network endpoints2
github.com/agilantsolutions/claudetogatech.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install.js --post-install.
  • scripts/install.js user-invoked bin copies skills/agents/hooks/rules/knowledge into project .claude/ and merges .claude/settings.json.
  • .claude/settings.json template wires Claude Code hooks and broad Bash permissions for project workflow.
  • scripts/install.js can run npm view and git ls-remote/clone/pull against the declared team repo when not postinstall.
Evidence against
  • scripts/install.js --post-install prints setup instructions and exits before mutating project files.
  • Install-time code does not harvest credentials, read arbitrary user files, persist globally, or exfiltrate data.
  • Network use is package-aligned update/version logic for npm and https://github.com/agilantsolutions/claude.
  • AI-agent control files are the advertised purpose: a Claude harness installer invoked by toga-ai/npx toga-ai.
  • Hook scripts inspected are local workflow gates/validators and do not contain hidden payload download or exfiltration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 141 KB of source, external domains: api-writer.togahub.com, api.clickup.com, api.togaiq.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js --post-install
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js --post-install
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
1Install-time AI-agent control hijack evidence: L11: * 3. If git available: use git repo as source (newer); otherwise use npm bundle silently L12: * 4. Install from chosen source into project .claude/ L13: * ... L111: try { L112: fs.writeFileSync(CACHE_FILE, repoDir + '\n'); L113: } catch (e) { /* non-fatal */ } ... L125: try { L126: fs.mkdirSync(defaultDir, { recursive: true }); L127: ... L167: try { L168: fs.mkdirSync(path.dirname(defaultDir), { recursive: true }); L169: const result = spawnSync('git', ['clone', REPO_URL, defaultDir], { Payload evidence from .claude/settings.json: L1: { L2: "hooks": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L1
rules/common/security.mdView file
62patternName = generic_password severity = medium line = 62 matchedText = error_lo...rd);
Medium
Secret Pattern

Hardcoded password in rules/common/security.md

rules/common/security.mdView on unpkg · L62

Findings

1 Critical1 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternrules/common/security.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License