registry  /  usrcp-slack  /  0.2.2

usrcp-slack@0.2.2

Slack capture+reader adapter for USRCP — vision-proof cross-channel memory via @slack/bolt + Socket Mode

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a Slack adapter that stores user-provided config, connects to Slack, and calls Anthropic for summaries/replies during explicit setup/runtime use.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall; explicit usrcp-slack runtime or setup invocation
Impact
Install rebuilds better-sqlite3; runtime may send allowlisted Slack message content to the configured Anthropic API key as part of documented bot behavior.
Mechanism
package-aligned native rebuild plus Slack/Anthropic adapter behavior
Rationale
Static inspection found risky primitives, but they are package-aligned and user-invoked: lifecycle rebuilds a native dependency, setup validates user-supplied credentials, and runtime operates as a Slack bot using configured allowlists. No unconsented install-time agent control hijack, credential harvesting, persistence, remote payload execution, or unrelated exfiltration was found.
Evidence
package.jsondist/index.jsdist/setup.jsdist/config.jsdist/capture.jsdist/reader.jsdist/llm.jsdist/stream-capture.jsnode_modules/better-sqlite3/buildnode_modules/usrcp-core/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/build~/.usrcp/slack-config.json
Network endpoints5
slack.com/api/auth.testslack.com/api/apps.connections.openslack.com/api/conversations.listapi.slack.com/appsconsole.anthropic.com/account/keys

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has postinstall deleting better-sqlite3 build dirs then running npm rebuild better-sqlite3
  • dist/index.js runtime connects Slack Socket Mode and processes allowlisted Slack messages
  • dist/setup.js validates user-entered Slack and Anthropic credentials over network
Evidence against
  • postinstall is limited to better-sqlite3 rebuild paths under node_modules; no home/project agent control-surface writes
  • dist/index.js child_process execSync only runs user-invoked --reset-config command: usrcp setup --adapter=slack
  • dist/setup.js writes package config through config.js and requires interactive TTY/masterKey
  • credential handling is setup/runtime aligned: Slack tokens and Anthropic key are user-entered, validated, then encrypted via usrcp-adapter-kit
  • no eval/vm/remote code loading, persistence, destructive broad file operations, or exfiltration endpoint outside Slack/Anthropic flow found
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 47.5 KB of source, external domains: api.slack.com, console.anthropic.com, slack.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/index.jsView file
25exports.resolveMode = resolveMode; L26: const node_child_process_1 = require("node:child_process"); L27: const bolt_1 = require("@slack/bolt");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L25
dist/setup.jsView file
46exports.runSlackSetup = runSlackSetup; L47: const https = __importStar(require("node:https")); L48: const node_child_process_1 = require("node:child_process"); L49: const config_js_1 = require("./config.js"); ... L54: return new Promise((resolve) => { L55: process.stderr.write(prompt); L56: const stdin = process.stdin;
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/setup.jsView on unpkg · L46
210package = usrcp-slack; repositoryIdentity = usrcp; dependency = @anthropic-ai/sdk L210: try { L211: const { default: Anthropic } = await import("@anthropic-ai/sdk"); L212: const client = new Anthropic({ apiKey });
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/setup.jsView on unpkg · L210
dist/setup.js#virtual:normalized:round1View file
46exports.runSlackSetup = runSlackSetup; L47: const https = __importStar(require("node:https")); L48: const node_child_process_1 = require("node:child_process"); L49: const config_js_1 = require("./config.js"); ... L54: return new Promise((resolve) => { L55: process.stderr.write(prompt); L56: const stdin = process.stdin; ... L68: for (const ch of chunk) { L69: const code = ch.charCodeAt(0); L70: if (code === CODE_NL || code === CODE_CR || code === CODE_EOT) { ... L229: try { L230: const url = "https://slack.com/api/conversations.list?types=public_channel,private_channel,im,mpim&exclude_archived=true&limit=200";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/setup.js#virtual:normalized:round1View on unpkg · L46

Findings

1 Critical5 High3 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighCommand Output Exfiltrationdist/setup.js
HighSandbox Evasion Gated Capabilitydist/setup.js#virtual:normalized:round1
HighCopied Package Dependency Bridgedist/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowUrl Strings