registry  /  toga-ai  /  1.0.265

toga-ai@1.0.265

TOGA Technology Team Claude Knowledge System — shared AI coding harness with skills, knowledge base CLI, and project installer for Claude Code.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Claude harness installer whose high-risk writes occur on explicit CLI use, while postinstall only prints instructions and exits.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall prints setup instructions; user-run toga-ai/npx toga-ai performs installation
Impact
Installs package-supplied Claude Code skills, agents, rules, hooks, settings, knowledge docs, and helper CLIs into a project .claude tree when explicitly invoked
Mechanism
project Claude harness bootstrap and knowledge sync
Rationale
The package has AI-agent control-surface installation capability, but source inspection shows it is the declared purpose and is not activated by lifecycle postinstall beyond a message. Network and shell operations are tied to version checks, git-backed knowledge sync/publish, or explicit helper scripts rather than covert execution or exfiltration.
Evidence
package.jsonscripts/install.jsknowledge.jssync-skills.jsmcp-configs/mcp-servers.json.claude/settings.jsonscripts/hooks/kickoff-gate.jsscripts/hooks/block-destructive.jsscripts/hooks/post-edit-validate.jsskills/plan-ticket/scripts/clickup.jsskills/plan-ticket/scripts/talos.js.claude/skills/.claude/rules/toga/common/.claude/agents/toga/.claude/hooks/toga/.claude/knowledge.js.claude/contexts/toga/.claude/mcp-servers.example.json.claude/knowledge/.claude/toga-ai.versionCLAUDE.md~/.toga-tech-path~/toga-tech
Network endpoints5
github.com/agilantsolutions/claudetogatech.comapi.clickup.comapi-writer.togahub.comapi.togaiq.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install.js --post-install
  • scripts/install.js can install Claude hooks/settings/skills into a project's .claude directory when run as CLI
  • scripts/install.js uses npm view and git clone/pull against github.com/agilantsolutions/claude outside postinstall
Evidence against
  • scripts/install.js --post-install exits after setup message before project .claude writes or git clone/init path
  • AI-agent files and hooks are package-aligned with description as a Claude Code team harness
  • No credential harvesting or exfiltration found; env vars are used for repo path/config templates
  • MCP config is copied only as .claude/mcp-servers.example.json and README says manual merge is required
  • knowledge.js child_process use is tied to explicit publish/session commands, validation, git workflow
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 141 KB of source, external domains: api-writer.togahub.com, api.clickup.com, api.togaiq.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js --post-install
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js --post-install
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
1Install-time AI-agent control hijack evidence: L11: * 3. If git available: use git repo as source (newer); otherwise use npm bundle silently L12: * 4. Install from chosen source into project .claude/ L13: * ... L111: try { L112: fs.writeFileSync(CACHE_FILE, repoDir + '\n'); L113: } catch (e) { /* non-fatal */ } ... L125: try { L126: fs.mkdirSync(defaultDir, { recursive: true }); L127: ... L167: try { L168: fs.mkdirSync(path.dirname(defaultDir), { recursive: true }); L169: const result = spawnSync('git', ['clone', REPO_URL, defaultDir], { Payload evidence from .claude/settings.json: L1: { L2: "hooks": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L1
rules/common/security.mdView file
62patternName = generic_password severity = medium line = 62 matchedText = error_lo...rd);
Medium
Secret Pattern

Hardcoded password in rules/common/security.md

rules/common/security.mdView on unpkg · L62

Findings

1 Critical1 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternrules/common/security.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License