registry  /  yana-ai  /  0.43.1

yana-ai@0.43.1

Audits your AI coding agent setup before it can damage your repo. 55 hooks · 1989 skills · 101 agents · Claude Code + Codex compatible.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package automatically mutates a consuming project's Claude/AI-agent control surface during npm postinstall. This is unconsented lifecycle installation of hooks, commands, agents, rules, and plugin metadata into project .claude paths.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of yana-ai@0.43.1 with lifecycle scripts enabled
Impact
Claude Code or related agent sessions in the project may execute package-supplied hooks and instructions after install, changing agent behavior without an explicit setup command.
Mechanism
postinstall copies package-supplied AI-agent hook/control files into target project
Policy narrative
On install, npm runs the package postinstall script with --auto. The installer resolves the target from INIT_CWD or cwd, then recursively copies package-owned hooks, commands, agents, rules, scripts, and gates into the consuming project's .claude directories plus .claude-plugin metadata. The shipped hook manifest wires Claude hook events to those package-supplied shell commands, creating an automatic AI-agent control-surface mutation at install time.
Rationale
Source inspection confirms unconsented npm postinstall mutation of a broad Claude/AI-agent control surface, which meets the firewall block policy even without observed exfiltration. The behavior is package-aligned safety tooling, but it is activated by lifecycle install rather than an explicit user setup command. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/npm-install.js.claude-plugin/hooks/hooks.jsoncore/hooks/telemetry-sender.shscripts/yana-rt-wrapper.js.claude/hooks/*.claude/commands/*.claude/agents/*.claude/rules/*.claude/scripts/*.claude/gates/*.claude-plugin/plugin.json.claude-plugin/marketplace.json

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/npm-install.js --auto
  • scripts/npm-install.js uses INIT_CWD/process.cwd as TARGET project root
  • postinstall copies core/hooks, commands, agents, rules, scripts, gates into TARGET .claude/*
  • postinstall also writes .claude-plugin/plugin.json and marketplace.json
  • copied .claude-plugin/hooks/hooks.json wires Claude hooks to package shell commands
Evidence against
  • No credential harvesting or external exfiltration found in inspected install script
  • core/hooks/telemetry-sender.sh writes local .claude/state/telemetry.jsonl only
  • scripts/yana-rt-wrapper.js only execFileSyncs explicit/system/package runtime candidates
  • No large hidden binary payloads found by size scan
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 66.8 KB of source

Source & flagged code

25 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/npm-install.js --auto
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/npm-install.js --auto
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
core/hooks/gitnexus-hook.jsView file
15const path = require('path'); L16: const { spawnSync } = require('child_process'); L17:
High
Child Process

Package source references child process execution.

core/hooks/gitnexus-hook.jsView on unpkg · L15
127if (useDirectBinary) { L128: return spawnSync(isWin ? 'gitnexus.cmd' : 'gitnexus', args, { L129: encoding: 'utf-8', ... L134: } L135: // npx fallback needs shell on Windows since npx is a .cmd script L136: return spawnSync(isWin ? 'npx.cmd' : 'npx', ['-y', 'gitnexus', ...args], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

core/hooks/gitnexus-hook.jsView on unpkg · L127
core/gates/structured-output-validator.jsView file
7L8: const fs = require('fs'); L9: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

core/gates/structured-output-validator.jsView on unpkg · L7
scripts/npm-install.jsView file
3Install-time AI-agent control hijack evidence: L3: * yana-ai npm installer L4: * Copies plugin files to .claude/ in the current project. L5: * Run: npx yana-ai OR yarn yana-ai ... L15: const COPY_DIRS = [ L16: ["core/hooks", ".claude/hooks"], L17: ["core/commands", ".claude/commands"], L18: ["core/agents", ".claude/agents"], L19: ["core/rules", ".claude/rules"], L20: // ── core/scripts + core/gates ────────────────────────────────────────────── ... L22: // they're listed in package.json "files" (so they DO ship inside the npm L23: // tarball) — they just never landed in the target project's .claude/. L24: // Several installed hooks reference them by relative path: Payload evidence from core/hooks/agent-pixel-notify.sh: L15: EVENT="${1:-start}" L16: BRIDGE_URL="${YANA_PIXEL_BRIDGE_URL:-http://127.0.0.1:5000}/webhook/agent-hook" L17:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/npm-install.jsView on unpkg · L3
core/gates/identity-gate.shView file
path = core/gates/identity-gate.sh kind = build_helper sizeBytes = 10457 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

core/gates/identity-gate.shView on unpkg
.claude-plugin/hooks/yana-audit-rewake.shView file
path = .claude-plugin/hooks/yana-audit-rewake.sh kind = payload_in_excluded_dir sizeBytes = 1696 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude-plugin/hooks/yana-audit-rewake.shView on unpkg
core/agents/test-engineer.mdView file
116patternName = generic_password severity = medium line = 116 matchedText = password...3!',
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L116
155patternName = generic_password severity = medium line = 155 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L155
168patternName = generic_password severity = medium line = 168 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L168
174patternName = generic_password severity = medium line = 174 matchedText = { email:...' },
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L174
175patternName = generic_password severity = medium line = 175 matchedText = { email:...' },
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L175
188patternName = generic_password severity = medium line = 188 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in core/agents/test-engineer.md

core/agents/test-engineer.mdView on unpkg · L188
core/commands/api-scaffold.mdView file
1540patternName = generic_password severity = medium line = 1540 matchedText = test_pas...123"
Medium
Secret Pattern

Hardcoded password in core/commands/api-scaffold.md

core/commands/api-scaffold.mdView on unpkg · L1540
core/commands/test-harness.mdView file
1197patternName = generic_password severity = medium line = 1197 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1197
1235patternName = generic_password severity = medium line = 1235 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1235
1251patternName = generic_password severity = medium line = 1251 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1251
1277patternName = generic_password severity = medium line = 1277 matchedText = const pa...23';
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1277
1298patternName = generic_password severity = medium line = 1298 matchedText = const pa...rd';
Medium
Secret Pattern

Hardcoded password in core/commands/test-harness.md

core/commands/test-harness.mdView on unpkg · L1298
core/commands/db-migrate.mdView file
1401patternName = generic_password severity = medium line = 1401 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in core/commands/db-migrate.md

core/commands/db-migrate.mdView on unpkg · L1401
1411patternName = generic_password severity = medium line = 1411 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in core/commands/db-migrate.md

core/commands/db-migrate.mdView on unpkg · L1411
core/commands/config-validate.mdView file
688patternName = generic_password severity = medium line = 688 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/commands/config-validate.md

core/commands/config-validate.mdView on unpkg · L688
701patternName = generic_password severity = medium line = 701 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in core/commands/config-validate.md

core/commands/config-validate.mdView on unpkg · L701
715patternName = generic_password severity = medium line = 715 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in core/commands/config-validate.md

core/commands/config-validate.mdView on unpkg · L715

Findings

1 Critical4 High22 Medium3 Low
CriticalAi Agent Control Hijackscripts/npm-install.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processcore/hooks/gitnexus-hook.js
HighRuntime Package Installcore/hooks/gitnexus-hook.js
HighPayload In Excluded Dir.claude-plugin/hooks/yana-audit-rewake.sh
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirecore/gates/structured-output-validator.js
MediumEnvironment Vars
MediumShips Build Helpercore/gates/identity-gate.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/agents/test-engineer.md
MediumSecret Patterncore/commands/api-scaffold.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/test-harness.md
MediumSecret Patterncore/commands/db-migrate.md
MediumSecret Patterncore/commands/db-migrate.md
MediumSecret Patterncore/commands/config-validate.md
MediumSecret Patterncore/commands/config-validate.md
MediumSecret Patterncore/commands/config-validate.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings