registry  /  @accio-ai/cli  /  0.1.31

@accio-ai/cli@0.1.31

Work Agent CLI - AI-native command line interface

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Automatic installation mutates multiple unrelated AI-agent skill directories under the user's home directory. It also clears the Workctl cache even when skill installation fails.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm postinstall
Impact
Future AI-agent sessions can load package-supplied instructions that prompt installation, upgrades, authentication, and use of `workctl`.
Mechanism
Extracts bundled agent instructions and force-copies them into broad AI-agent control surfaces
Policy narrative
On npm postinstall, `install.js` unpacks a bundled skill archive and force-copies its contents into four home-directory AI-agent skill locations, including third-party agent surfaces such as Claude, Cursor, and Codex. These skills are then available for automatic discovery in later agent sessions and instruct agents to install, upgrade, authenticate, and use the package's CLI. This is an unconsented broad AI-agent control-surface mutation.
Rationale
The package has a concrete postinstall persistence mechanism targeting multiple foreign/broad AI-agent instruction directories. The benign binary launcher does not mitigate this automatic control-surface write.
Evidence
package.jsoninstall.jsassets/workctl-skills.zipbin/workctl.js$HOME/.agents/skills/workctl$HOME/.claude/skills/workctl$HOME/.cursor/skills/workctl$HOME/.codex/skills/workctl$HOME/.workctl/cache

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `install.js` runs automatically via `postinstall`.
  • `install.js` extracts `assets/workctl-skills.zip` into four home-directory agent skill surfaces.
  • It writes to `.agents/skills`, `.claude/skills`, `.cursor/skills`, and `.codex/skills` without user consent.
  • It force-deletes and recreates `$HOME/.workctl/cache`.
  • The archived skills direct AI agents to install/upgrade and authenticate this CLI.
Evidence against
  • `bin/workctl.js` only resolves a platform package binary and forwards user CLI arguments.
  • The launcher removes three runtime override variables before spawning the binary.
  • Inspected JavaScript contains no credential harvesting or direct network client.
  • The ZIP contains readable Markdown skill instructions, not an opaque executable payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 2 file(s), 4.79 KB of source

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
assets/workctl-skills.zipView file
path = assets/workctl-skills.zip kind = high_entropy_blob sizeBytes = 36080 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/workctl-skills.zipView on unpkg
path = assets/workctl-skills.zip kind = compressed_blob sizeBytes = 36080 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

assets/workctl-skills.zipView on unpkg
path = assets/workctl-skills.zip kind = nested_archive_needs_inspection sizeBytes = 36080 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

assets/workctl-skills.zipView on unpkg
bin/workctl.jsView file
matchType = malicious_source_fingerprint_signature signature = 8ea0d542d7ae2741 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @accio-ai/cli@0.1.30 matchedPath = bin/workctl.js matchedIdentity = npm:QGFjY2lvLWFpL2NsaQ:0.1.30 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin/workctl.jsView on unpkg

Findings

3 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobassets/workctl-skills.zip
HighKnown Malware Source Fingerprint Signaturebin/workctl.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Compressed Blobassets/workctl-skills.zip
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowNested Archive Needs Inspectionassets/workctl-skills.zip
LowNo License