AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious install or import-time attack surface. Runtime CLI can capture Claude Code conversation text from explicitly allowlisted project transcript files into the package's USRCP stream store.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall for native rebuild; user-invoked usrcp-claude-code CLI for capture
Impact
Captures conversational text for configured projects; no unconsented lifecycle agent-control mutation or exfil endpoint seen in package source.
Mechanism
allowlisted Claude Code JSONL tailer and stream capture adapter
Rationale
The scanner's lifecycle warning is explained by a native better-sqlite3 rebuild, while the AI-adjacent file access is user-invoked and gated by an empty-by-default allowlist. I found no install-time control-surface writes, persistence, credential harvesting, destructive behavior, or hardcoded exfiltration endpoint in the package source.
Evidence
package.jsondist/index.jsdist/config.jsdist/watcher.jsdist/capture.jsREADME.mdnode_modules/better-sqlite3/buildnode_modules/usrcp-core/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/build~/.usrcp/claude-code-config.json~/.claude/projects/<encoded-cwd>/*.jsonl
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- The package tails Claude Code JSONL transcripts from allowlisted projects and writes conversational content to usrcp-stream on user-run CLI.
- It reads ~/.claude/projects and stores offsets in ~/.usrcp/claude-code-config.json.
Evidence against
- package.json postinstall only deletes better-sqlite3 build directories under node_modules and runs npm rebuild better-sqlite3.
- dist/index.js exits unless ~/.usrcp/claude-code-config.json has allowlisted_projects; default config is empty/no-op.
- No install-time writes to CLAUDE.md, .mcp.json, .claude commands, shell startup files, hooks, or other agent control surfaces.
- No hardcoded external URLs/endpoints found in inspected package source; streaming is delegated to package dependency usrcp-stream.
- child_process execSync is only behind explicit --reset-config and runs usrcp setup --adapter=claude-code.
- capture.js maps only user/assistant text turns and skips tool_use/tool_result blocks.
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem