registry  /  toga-ai  /  1.0.266

toga-ai@1.0.266

TOGA Technology Team Claude Knowledge System — shared AI coding harness with skills, knowledge base CLI, and project installer for Claude Code.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Claude team-harness installer that writes .claude skills, agents, hooks, settings, knowledge files, and examples only when the CLI is run; postinstall only displays guidance.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall shows instructions; explicit toga-ai/npx invocation installs harness files
Impact
Installs team AI-agent configuration into the target project; broad permissions and hooks are visible and package-aligned
Mechanism
user-invoked Claude harness bootstrap and update helper
Rationale
The risky primitives are real but package-aligned and primarily user-invoked; the lifecycle postinstall path exits before modifying Claude control files. Static inspection found no unconsented install-time hijack, credential theft, covert exfiltration, or staged payload.
Evidence
package.jsonscripts/install.js.claude/settings.jsonknowledge.jsskills/plan-ticket/scripts/clickup.jsskills/plan-ticket/scripts/talos.jsmcp-configs/mcp-servers.json~/.toga-tech-path~/toga-tech<project>/.claude/settings.json<project>/.claude/skills/<project>/.claude/agents/toga/<project>/.claude/hooks/toga/<project>/.claude/knowledge/<project>/CLAUDE.md
Network endpoints5
github.com/agilantsolutions/claudetogatech.comapi.clickup.comapi-writer.togahub.comapi.togaiq.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install.js --post-install
  • scripts/install.js user-invoked CLI can merge .claude/settings.json hooks and permissions
  • scripts/install.js can clone/pull https://github.com/agilantsolutions/claude and query npm view toga-ai version
Evidence against
  • scripts/install.js --post-install prints setup instructions and exits before project .claude writes
  • Project writes are tied to explicit toga-ai/npx invocation and match package description as a Claude harness installer
  • No credential harvesting or exfiltration found; env refs are config inputs for team tools
  • Network endpoints are package-aligned update/docs/tool integrations, not covert destinations
  • No eval/vm/native payload or import-time execution beyond CLI dispatch found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 141 KB of source, external domains: api-writer.togahub.com, api.clickup.com, api.togaiq.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js --post-install
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js --post-install
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
1Install-time AI-agent control hijack evidence: L11: * 3. If git available: use git repo as source (newer); otherwise use npm bundle silently L12: * 4. Install from chosen source into project .claude/ L13: * ... L111: try { L112: fs.writeFileSync(CACHE_FILE, repoDir + '\n'); L113: } catch (e) { /* non-fatal */ } ... L125: try { L126: fs.mkdirSync(defaultDir, { recursive: true }); L127: ... L167: try { L168: fs.mkdirSync(path.dirname(defaultDir), { recursive: true }); L169: const result = spawnSync('git', ['clone', REPO_URL, defaultDir], { Payload evidence from .claude/settings.json: L1: { L2: "hooks": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L1
rules/common/security.mdView file
62patternName = generic_password severity = medium line = 62 matchedText = error_lo...rd);
Medium
Secret Pattern

Hardcoded password in rules/common/security.md

rules/common/security.mdView on unpkg · L62

Findings

1 Critical1 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternrules/common/security.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License