registry  /  usrcp-slack  /  0.2.0

usrcp-slack@0.2.0

Slack capture+reader adapter for USRCP — vision-proof cross-channel memory via @slack/bolt + Socket Mode

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found, but the install lifecycle mutates dependency build directories and runs npm rebuild. Runtime network and credential handling match the advertised Slack adapter behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install for postinstall; explicit CLI runtime for Slack bot/setup
Impact
Potential install-time project dependency mutation; no confirmed data theft or covert execution.
Mechanism
install-time dependency rebuild plus user-invoked Slack/Anthropic adapter
Attack narrative
The only non-user runtime action with notable risk is package.json postinstall, which removes better-sqlite3 build directories in node_modules and invokes npm rebuild. Source inspection did not show covert payload download, credential exfiltration, persistence, or hidden command execution; Slack and Anthropic calls are part of setup and bot operation.
Rationale
This is not source-confirmed malware, but the install-time node_modules mutation is a real supply-chain risk that should not be marked clean. Runtime child_process and network findings are user-invoked and package-aligned.
Evidence
package.jsondist/index.jsdist/setup.jsdist/config.jsdist/capture.jsdist/reader.jsdist/llm.jsdist/stream-capture.jsnode_modules/better-sqlite3/buildnode_modules/usrcp-core/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/build~/.usrcp/slack-config.json
Network endpoints5
slack.com/api/auth.testslack.com/api/apps.connections.openslack.com/api/conversations.listapi.slack.com/appsconsole.anthropic.com/account/keys

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall deletes better-sqlite3 build dirs under node_modules and runs npm rebuild better-sqlite3 at install time.
  • dist/index.js exposes --reset-config path that execSyncs `usrcp setup --adapter=slack`, but only when user passes the flag.
  • dist/setup.js validates user-entered Slack and Anthropic credentials against vendor APIs and opens vendor setup URLs via execSync after prompt.
Evidence against
  • No import-time execution beyond module definitions; dist/index.js main only starts when run as CLI.
  • Network use is package-aligned: Slack Socket Mode/API and Anthropic SDK for a Slack bot setup/reply workflow.
  • Secrets are read from encrypted adapter config and user prompts; no evidence of credential harvesting or exfiltration to non-vendor endpoints.
  • No eval/vm/Function, persistence, hidden downloader, binary loading, or AI-agent control-surface writes found.
  • Slack capture/reply logic is gated by configured user_id and allowlisted_channels.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 47.5 KB of source, external domains: api.slack.com, console.anthropic.com, slack.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/index.jsView file
25exports.resolveMode = resolveMode; L26: const node_child_process_1 = require("node:child_process"); L27: const bolt_1 = require("@slack/bolt");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L25
dist/setup.jsView file
46exports.runSlackSetup = runSlackSetup; L47: const https = __importStar(require("node:https")); L48: const node_child_process_1 = require("node:child_process"); L49: const config_js_1 = require("./config.js"); ... L54: return new Promise((resolve) => { L55: process.stderr.write(prompt); L56: const stdin = process.stdin;
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/setup.jsView on unpkg · L46
210package = usrcp-slack; repositoryIdentity = usrcp; dependency = @anthropic-ai/sdk L210: try { L211: const { default: Anthropic } = await import("@anthropic-ai/sdk"); L212: const client = new Anthropic({ apiKey });
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/setup.jsView on unpkg · L210
dist/setup.js#virtual:normalized:round1View file
46exports.runSlackSetup = runSlackSetup; L47: const https = __importStar(require("node:https")); L48: const node_child_process_1 = require("node:child_process"); L49: const config_js_1 = require("./config.js"); ... L54: return new Promise((resolve) => { L55: process.stderr.write(prompt); L56: const stdin = process.stdin; ... L68: for (const ch of chunk) { L69: const code = ch.charCodeAt(0); L70: if (code === CODE_NL || code === CODE_CR || code === CODE_EOT) { ... L229: try { L230: const url = "https://slack.com/api/conversations.list?types=public_channel,private_channel,im,mpim&exclude_archived=true&limit=200";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/setup.js#virtual:normalized:round1View on unpkg · L46

Findings

1 Critical5 High3 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighCommand Output Exfiltrationdist/setup.js
HighSandbox Evasion Gated Capabilitydist/setup.js#virtual:normalized:round1
HighCopied Package Dependency Bridgedist/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowUrl Strings