registry  /  toga-ai  /  1.0.267

toga-ai@1.0.267

TOGA Technology Team Claude Knowledge System — shared AI coding harness with skills, knowledge base CLI, and project installer for Claude Code.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Claude/team knowledge harness that installs local .claude assets only when the user runs the CLI; postinstall does not modify agent control files.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall only prints guidance; npx/toga-ai explicitly installs harness
Impact
Project .claude configuration is updated by explicit CLI use; no unconsented lifecycle mutation confirmed
Mechanism
user-invoked Claude harness bootstrap and knowledge tooling
Rationale
Static inspection shows risky primitives, but they are package-aligned developer tooling and the lifecycle hook exits before writing Claude control surfaces. No hidden install-time exfiltration, destructive action, or unconsented AI-agent control hijack was found.
Evidence
package.jsonscripts/install.js.claude/settings.jsonscripts/hooks/kickoff-gate.jsskills/plan-ticket/scripts/clickup.jsskills/plan-ticket/scripts/talos.jsknowledge.js~/.toga-tech-path~/toga-tech<project>/.claude/skills<project>/.claude/agents/toga<project>/.claude/hooks/toga<project>/.claude/settings.json<project>/CLAUDE.md~/.talos/credentials.json
Network endpoints4
github.com/agilantsolutions/claudeapi.clickup.com/api/v2api-writer.togahub.comapi.togaiq.com

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall and bin scripts/install.js.
  • scripts/install.js user-invoked install writes project .claude skills/agents/hooks/settings/knowledge and CLAUDE.md.
  • scripts/install.js can run npm view and git ls-remote/clone/pull against github.com/agilantsolutions/claude outside postinstall.
  • skills/plan-ticket scripts call ClickUp/Talos APIs with user-provided env/local credentials when explicitly run.
Evidence against
  • scripts/install.js --post-install prints setup instructions and exits before project .claude writes.
  • No install-time credential harvesting or exfiltration found; token/API helpers are skill-invoked tooling.
  • Network endpoints are documented/package-aligned: npm registry, GitHub repo, ClickUp, Talos/TOGA APIs.
  • Hook scripts are local Claude workflow guards/reminders; no hidden persistence beyond user-invoked harness install.
  • knowledge.js child_process/git operations are publish/session commands, not import-time behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 141 KB of source, external domains: api-writer.togahub.com, api.clickup.com, api.togaiq.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js --post-install
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js --post-install
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
1Install-time AI-agent control hijack evidence: L11: * 3. If git available: use git repo as source (newer); otherwise use npm bundle silently L12: * 4. Install from chosen source into project .claude/ L13: * ... L111: try { L112: fs.writeFileSync(CACHE_FILE, repoDir + '\n'); L113: } catch (e) { /* non-fatal */ } ... L125: try { L126: fs.mkdirSync(defaultDir, { recursive: true }); L127: ... L167: try { L168: fs.mkdirSync(path.dirname(defaultDir), { recursive: true }); L169: const result = spawnSync('git', ['clone', REPO_URL, defaultDir], { Payload evidence from .claude/settings.json: L1: { L2: "hooks": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L1
rules/common/security.mdView file
62patternName = generic_password severity = medium line = 62 matchedText = error_lo...rd);
Medium
Secret Pattern

Hardcoded password in rules/common/security.md

rules/common/security.mdView on unpkg · L62

Findings

1 Critical1 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternrules/common/security.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License