registry  /  xtrm-tools  /  0.9.1

xtrm-tools@0.9.1

Claude Code tools installer (skills, hooks, MCP servers)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `xt install` or `xt claude install`, or enables the bundled Pi extension.
Impact
Can alter agent tool-hook behavior and add configured MCP/subprocess capabilities in the selected project or Pi profile.
Mechanism
Explicit AI-agent configuration and extension installation.
Rationale
Source shows deliberate, user-invoked AI-agent configuration mutation with broad hooks and MCP setup, which warrants a warning under the firewall policy. No concrete malicious chain or unconsented install-time mutation was established.
Evidence
package.jsoncli/dist/index.cjs.xtrm/config/hooks.json.xtrm/config/claude.mcp.json.xtrm/hooks/xtrm-logger.mjspackages/pi-extensions/extensions/xtrm-ui/index.ts.claude/settings.json.mcp.json.pi/mcp.json~/.pi/agent/settings.json.xtrm/debug.db
Network endpoints3
mcp.grep.appmcp.deepwiki.com/mcpregistry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `xt install` explicitly syncs MCP, Claude hooks, Pi packages, and skills.
  • `.xtrm/config/hooks.json` wires hooks across Claude session and tool events.
  • `.xtrm/config/claude.mcp.json` adds remote MCP servers and an `npx` server.
  • `xtrm-ui` writes a global Pi setting at `~/.pi/agent/settings.json`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Agent configuration occurs through explicit CLI subcommands with confirmations for Claude wiring.
  • Reviewed hooks log locally to `.xtrm/debug.db`; no network exfiltration was found.
  • No credential harvesting, covert remote payload loading, or destructive install-time behavior was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 471 KB of source, external domains: chat.qwen.ai, dashscope.aliyuncs.com, github.com, mcp.grep.app, registry.npmjs.org, xtrm.dev
Oversized source lightweight scan
cli/dist/index.cjs2.68 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringsregistry.npmjs.orgxtrm.dev

Source & flagged code

5 flagged · loading source
packages/pi-extensions/extensions/xtrm-ui/index.tsView file
203const componentPath = join(dirname(entryPath), "modes", "interactive", "components", "assistant-message.js"); L204: const mod = await import(pathToFileURL(componentPath).href) as { L205: AssistantMessageComponent?: AssistantMessageComponentCtor;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

packages/pi-extensions/extensions/xtrm-ui/index.tsView on unpkg · L203
.xtrm/hooks/quality-check.pyView file
path = .xtrm/hooks/quality-check.py kind = payload_in_excluded_dir sizeBytes = 13403 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.xtrm/hooks/quality-check.pyView on unpkg
path = .xtrm/hooks/quality-check.py kind = build_helper sizeBytes = 13403 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.xtrm/hooks/quality-check.pyView on unpkg
cli/dist/index.cjsView file
path = cli/dist/index.cjs kind = oversized_source_file sizeBytes = 2809799 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

cli/dist/index.cjsView on unpkg
path = cli/dist/index.cjs kind = oversized_cli_entrypoint sizeBytes = 2809799 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

cli/dist/index.cjsView on unpkg

Findings

2 High6 Medium5 Low
HighPayload In Excluded Dir.xtrm/hooks/quality-check.py
HighOversized Source Filecli/dist/index.cjs
MediumDynamic Requirepackages/pi-extensions/extensions/xtrm-ui/index.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.xtrm/hooks/quality-check.py
MediumOversized Cli Entrypointcli/dist/index.cjs
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings