registry  /  @accio-ai/cli  /  0.1.30

@accio-ai/cli@0.1.30

Work Agent CLI - AI-native command line interface

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs install-time AI-agent skill installation into multiple home-directory agent control surfaces. This is unconsented postinstall mutation of broad/foreign agent skill directories.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install of @accio-ai/cli@0.1.30
Impact
Can add or replace workctl skills for multiple AI agents and clear cache so new commands are discovered after install.
Mechanism
postinstall archive extraction and home-directory agent skill writes
Policy narrative
On npm install, the postinstall script extracts a bundled skills archive into the package and copies its contents into several AI-agent skill directories under the user's home directory, then clears the workctl cache. Those paths are agent extension/control surfaces rather than package-local files, and the action is automatic at install time.
Rationale
Static inspection confirms automatic postinstall mutation of multiple broad AI-agent skill directories, matching the policy for blocking unconsented install-time mutation of foreign/broad AI-agent control surfaces. No exfiltration or remote payload execution was found, but the install-time control-surface write establishes the malicious verdict under the stated boundary. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsoninstall.jsbin/workctl.jsassets/workctl-skills.zipshare/skills/workctl~/.agents/skills/workctl~/.claude/skills/workctl~/.cursor/skills/workctl~/.codex/skills/workctl$WORKCTL_CONFIG_DIR/cache or ~/.workctl/cache
Network endpoints6
www.npmjs.com/package/@accio-ai/cliregistry.npmjs.orgopen.example.com/tools/callopen.example.com/registry/detail?domainName=communicationopen.example.com/discovery/cli/schema?clientName=workctlgithub.com/example/work-agent-cli/releases/download/v1.2.3

Decision evidence

public snapshot
AI called this Malicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node install.js
  • install.js extracts assets/workctl-skills.zip at install time
  • install.js copies extracted skills into ~/.agents/skills/workctl, ~/.claude/skills/workctl, ~/.cursor/skills/workctl, and ~/.codex/skills/workctl
  • install.js deletes $WORKCTL_CONFIG_DIR/cache or ~/.workctl/cache to force fresh command discovery
  • Bundled SKILL.md instructs agents to install/upgrade @accio-ai/cli@latest and use workctl workflows
Evidence against
  • bin/workctl.js only resolves and spawns a platform-specific @accio-ai/cli-* binary or vendor binary
  • bin/workctl.js removes WORKCTL_MCP_URL, WORKCTL_CATALOG_FIXTURE, and WORKCTL_RUNTIME_CONFIG before spawning
  • Inspected JS sources show no eval/vm/Function, credential harvesting, or network exfiltration
  • Zip contents are markdown skills/references, not executable binaries or scripts
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 2 file(s), 4.79 KB of source

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
assets/workctl-skills.zipView file
path = assets/workctl-skills.zip kind = high_entropy_blob sizeBytes = 35983 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/workctl-skills.zipView on unpkg
path = assets/workctl-skills.zip kind = compressed_blob sizeBytes = 35983 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

assets/workctl-skills.zipView on unpkg
path = assets/workctl-skills.zip kind = nested_archive_needs_inspection sizeBytes = 35983 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

assets/workctl-skills.zipView on unpkg
bin/workctl.jsView file
matchType = malicious_source_fingerprint_signature signature = 8ea0d542d7ae2741 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @accio-ai/cli@0.1.29 matchedPath = bin/workctl.js matchedIdentity = npm:QGFjY2lvLWFpL2NsaQ:0.1.29 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin/workctl.jsView on unpkg

Findings

3 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobassets/workctl-skills.zip
HighKnown Malware Source Fingerprint Signaturebin/workctl.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Compressed Blobassets/workctl-skills.zip
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowNested Archive Needs Inspectionassets/workctl-skills.zip
LowNo License