Oathe Security Badge

Is pipecrew-ai/pipecrew safe?

https://github.com/pipecrew-ai/pipecrew

74
CAUTION

PipeCrew is a sophisticated multi-skill AI coding assistant plugin that orchestrates Claude Code subagents for software development workflows. It presents meaningful but not malicious security concerns: it installs a system-wide PreToolUse hook that fires on every Bash dispatch, includes an auto-approve mechanism that bypasses per-tool permission prompts during /deliver runs, and can push workspace metadata (architecture docs, repo paths, domain configuration) to external GitHub repositories via an opt-in memory sync feature. No evidence of prompt injection attacks, malicious data exfiltration, or canary file compromise was detected; the skill's risk profile stems from its legitimately broad permission requirements rather than adversarial intent.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (8)

HIGH System-wide PreToolUse hook installed by plugin -20

The .claude-plugin/hooks/hooks.json file ships a PreToolUse Bash hook backed by scripts/troubleshooter-bash-guard.js. Claude Code's hook system has no per-skill or per-agent scoping — this hook fires on EVERY Bash dispatch in the user's entire Claude Code environment. The skill uses a marker file (~/.claude/.pipecrew-troubleshooter-active) to self-limit enforcement to active troubleshoot runs, but the hook code executes on every call to check the marker, consuming compute and representing a persistent modification to the user's environment.

HIGH Auto-approve hook bypasses per-tool permission prompts -15

The --auto-approve flag for /deliver activates scripts/deliver-autoapprove-hook.js, which intercepts PreToolUse events and auto-approves file Edit/Write operations plus vetted Bash commands without presenting them to the user. While the skill documents a conservative allowlist, this fundamentally reduces Claude Code's safety model during /deliver runs and could be exploited if the allowlist classifier is bypassed.

HIGH GitHub memory sync pushes workspace metadata to external repository -15

scripts/sync-memory.js is invoked automatically at checkpoints during /discover, /deliver, /learn, and /context-refresh runs when config.workspace.memory.enabled is true. It commits workspace durable docs including platform.md (architecture, entities, auth model), config.json (repo paths, tech stacks, spec file locations), audit-findings.md, and agent-context to an external GitHub repository. While opt-in, once enabled it runs automatically without per-push user consent.

MEDIUM Runtime npx package installation via ensure-mcp.js -10

The /assess and /deliver skills invoke scripts/ensure-mcp.js to install the chrome-devtools MCP tool using 'npx -y chrome-devtools-mcp@latest' without version pinning. The -y flag suppresses interactive confirmation, and @latest resolves at runtime, creating a supply-chain dependency on the npm registry that was not evaluated during this audit.

MEDIUM Extensive auto-loaded skill instructions modify agent behavior across multiple sessions -10

The combined SKILL.md content (scaffold, review, discover, patch, learn, deliver, assess, memory-sync, siteview-*, draw-diagram, troubleshoot, context-refresh, simulate-run, site-view) totals thousands of lines of agent instructions injected into the system prompt. This large context footprint occupies significant attention budget and could crowd out other important context for users running multiple skills simultaneously.

MEDIUM Session transcript and PR comment harvesting -10

scripts/collect-session-feedback.js reads Claude Code session transcripts from ~/.claude/projects/.../*.jsonl and scripts/collect-pr-feedback.js fetches all PR review comments from GitHub. These scripts aggregate broad sets of user activity (conversation history, code review feedback) into local files that are then passed to the feedback-learner agent. The session harvesting in particular may capture sensitive conversation content.

LOW Large permission footprint and multi-repo code modification scope -15

The /deliver skill creates git worktrees across multiple repositories simultaneously, dispatches parallel subagents with Edit/Write/Bash access, creates GitHub PRs, and modifies OpenAPI specs and CLAUDE.md files. The scope of filesystem and git operations is unusually broad for a single skill invocation.

INFO Canary file reads attributed to audit infrastructure, not skill 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were read at timestamp 1783410748.183, approximately 5 seconds before the git clone initiated at 1783410753. Read syscalls were CLOSE_NOWRITE confirming read-only access. Timing and process context (sudo during audit setup) indicate these are Oathe baseline hash reads, not skill-initiated exfiltration.