2026-01-05 · Authensor

How to Gate npm install in AI Agent Workflows

SafeClaw by Authensor blocks npm install commands by default when executed by AI agents, preventing unauthorized dependency additions to your project. Install SafeClaw with npx @authensor/safeclaw and every npm install, npm i, and npm ci invocation is denied and audit-logged until your policy explicitly permits it.

Why npm install Is Dangerous When AI Agents Do It

An AI agent that can run npm install unsupervised can introduce supply chain attacks, typosquatted packages, or packages with postinstall scripts that execute arbitrary code. The npm ecosystem has seen repeated incidents where malicious packages exfiltrate environment variables, install cryptominers, or backdoor build pipelines. When an agent autonomously decides to npm install some-package, it trusts the LLM's hallucination-prone package name resolution — the agent may install a package that does not exist as intended or one that was published by an attacker squatting a plausible name. Postinstall scripts run immediately with the same permissions as the agent's shell session.

The Exact SafeClaw Policy to Gate npm install

Add the following rules to .safeclaw/policy.yaml:

rules: - id: deny-npm-install action: shell.exec match: command: "npm install*" effect: deny audit: true message: "npm install is blocked. Package additions require human review." - id: deny-npm-i-shorthand action: shell.exec match: command: "npm i *" effect: deny audit: true message: "npm i is blocked. Package additions require human review."

- id: deny-npm-ci action: shell.exec match: command: "npm ci*" effect: deny audit: true message: "npm ci is blocked for agent execution."

Three rules cover the primary invocation patterns. The glob pattern npm install catches both npm install (no arguments, installs from lockfile) and npm install . The npm i rule (note the space) catches the shorthand with arguments.

What Happens When the Agent Tries

When a Claude- or OpenAI-powered agent attempts npm install lodash:

SafeClaw intercepts the shell.exec action before the shell spawns npm.
The deny-npm-install rule matches.
The command is blocked. No network request to the npm registry occurs. No node_modules changes happen.
A hash-chained audit entry is written:

{
  "timestamp": "2026-02-13T11:20:33Z",
  "action": "shell.exec",
  "command": "npm install lodash",
  "effect": "deny",
  "rule": "deny-npm-install",
  "agent": "code-assistant-07",
  "hash": "c4f1a9...chain"
}

The agent receives the denial message and can suggest the package to the human operator instead.

How to Allow npm install with Approval

For workflows where agents need to install packages after human vetting:

rules:
  - id: npm-install-with-approval
    action: shell.exec
    match:
      command: "npm install*"
    effect: approval
    audit: true
    approvers:
      - role: developer
    timeout: 600
    message: "npm install requires developer approval. Package name logged for review."

The approval flow surfaces the exact command (including the package name) to the developer. The 600-second timeout gives adequate time to check the package on npmjs.com before approving.

For more granular control, allow installation only from a lockfile (no new packages):

rules: - id: allow-npm-ci-only action: shell.exec match: command: "npm ci" effect: allow audit: true - id: deny-all-npm-install action: shell.exec match: command: "npm install*" effect: deny audit: true message: "Only npm ci (lockfile install) is permitted. New packages require human action."

- id: deny-npm-i action: shell.exec match: command: "npm i *" effect: deny audit: true message: "Only npm ci is permitted."

This pattern allows reproducible lockfile-based installs while blocking any command that could add or modify dependencies.

Verification

npx @authensor/safeclaw simulate --action 'shell.exec' --command 'npm install express'
Expected: deny, rule: deny-npm-install

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw