registry  /  @accio-ai/cli  /  0.1.29

@accio-ai/cli@0.1.29

Work Agent CLI - AI-native command line interface

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates broad AI-agent skill directories during npm postinstall. This creates agent instructions for multiple third-party agent surfaces without an explicit user command.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall
Impact
Installs Workctl agent instructions into Claude, Cursor, Codex, and generic agent skill homes and clears workctl cache; no exfiltration was found in inspected package JS.
Mechanism
unconsented AI-agent skill installation
Policy narrative
On installation, npm runs install.js. That script extracts the bundled skills archive and copies its contents into several AI-agent skill locations under the user's home directory, including Claude, Cursor, Codex, and generic agents, then clears the workctl cache. This is unconsented install-time mutation of broad AI-agent control surfaces, even though the bundled material appears package-aligned and no exfiltration was found.
Rationale
Source inspection confirms unconsented postinstall writes into multiple foreign/broad AI-agent skill directories. Under the firewall policy, that install-time control-surface mutation is blocking even without separate credential theft or network exfiltration evidence. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsoninstall.jsbin/workctl.jsassets/workctl-skills.zipREADME.mdshare/skills/workctl~/.agents/skills/workctl~/.claude/skills/workctl~/.cursor/skills/workctl~/.codex/skills/workctl~/.workctl/cache
Network endpoints2
www.npmjs.com/package/@accio-ai/cliregistry.npmjs.org

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node install.js
  • install.js copies bundled skills into ~/.agents/skills, ~/.claude/skills, ~/.cursor/skills, and ~/.codex/skills
  • install.js extracts assets/workctl-skills.zip during install and installs under a workctl skill directory
  • install.js deletes ~/.workctl/cache when present
Evidence against
  • No credential harvesting or exfiltration code found in JS sources
  • No package JS network calls found
  • bin/workctl.js only locates a platform optional dependency binary and spawns it on user CLI invocation
  • Zip inventory contains markdown skill/reference files, not executables
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 2 file(s), 4.79 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
assets/workctl-skills.zipView file
path = assets/workctl-skills.zip kind = high_entropy_blob sizeBytes = 35983 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/workctl-skills.zipView on unpkg
path = assets/workctl-skills.zip kind = compressed_blob sizeBytes = 35983 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

assets/workctl-skills.zipView on unpkg
path = assets/workctl-skills.zip kind = nested_archive_needs_inspection sizeBytes = 35983 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

assets/workctl-skills.zipView on unpkg

Findings

2 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobassets/workctl-skills.zip
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Compressed Blobassets/workctl-skills.zip
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowNested Archive Needs Inspectionassets/workctl-skills.zip
LowNo License