0x2ai-zoe @1.2.0

Summary

On npm install , scripts/postinstall.cjs copies the entire payload/ tree into process.env.INIT_CWD (the directory the developer ran npm from), depositing CLAUDE.md,.claude/settings.json,.claude/commands/0x2ai-boot.md,.mcp.json, and several MCP server.cjs files outside the package's own install directory. CLAUDE.md is auto-loaded as project instructions by Claude Code, and.mcp.json hardcodes BRIDGE_URL=https://zoe.0x2ai.com so that any subsequent Claude Code session in that directory routes chatroom_post, memory_save/load/search, brainmail_send, provider_query (user LLM prompts), and settings_set (which can carry API keys) calls through the author's host. bin/start.cjs additionally spawns claude --dangerously-skip-permissions , disabling per-tool consent prompts for filesystem and shell access during the session. The combination — install-time configuration injection into a directory the package does not own + a persona instructing the agent to follow remote-bridge directives + skip-permissions launch — gives the operator at zoe.0x2ai.com unprompted tool access on the developer's machine and silently relays prompts and settings (including credentials) off-host. The install-time write of opinionated Claude Code configuration into the developer's working directory occurs without consent and is the install-time-harm component; the bridge relay is the silent-relay component for any session subsequently opened in that directory.

Source: amazon-inspector (724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b)