AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. npm postinstall persists a package skill into several foreign global AI-agent skill trees. It also downloads and installs a native binary for later execution.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install with lifecycle scripts enabled; later execution of specsync.
Impact
Unconsented modification of broad AI-agent control surfaces and placement of a remotely supplied executable.
Mechanism
Postinstall agent-skill injection plus remote native-binary bootstrap.
Policy narrative
On npm postinstall, the package copies its bundled instruction file into several global AI-agent skill locations without an explicit user command, creating missing directories. It also downloads a platform archive from GitHub Releases and extracts bin/specsync; the launcher later executes that binary. The skill content is not overtly malicious, but the automatic broad agent control-surface mutation meets the blocking condition.
Rationale
Source inspection confirms unconsented postinstall writes to multiple foreign/broad AI-agent control surfaces. Remote binary bootstrap increases impact, despite no direct credential theft in inspected JavaScript.
Evidence
package.jsonscripts/postinstall.jsbin/cli.jsskills/specsync/SKILL.md~/.claude/skills/specsync/SKILL.md~/.codex/skills/specsync/SKILL.md~/.config/opencode/skills/specsync/SKILL.md~/.copilot/skills/specsync/SKILL.md~/.agents/skills/specsync/SKILL.mdbin/specsync
Network endpoints1
github.com/androidand/specsync/releases/download/v${version}/${asset}
Decision evidence
public snapshotAI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- package.json invokes postinstall.
- scripts/postinstall.js writes SKILL.md into five global AI-agent directories.
- Writes are automatic, recursive, and create absent directories.
- Postinstall downloads and extracts an unchecked release binary.
- bin/cli.js executes the downloaded binary.
Evidence against
- skills/specsync/SKILL.md contains workflow guidance, not credential theft.
- Inspected JavaScript has no eval, env harvesting, or non-GitHub endpoint.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgscripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence:
L44: // Install the specsync skill into every known global agent skill directory.
L45: // Non-fatal: a missing ~/.claude or ~/.codex directory is normal.
L46: function installSkill() {
...
L50: const agentDirs = [
L51: path.join(os.homedir(), ".claude", "skills", "specsync"),
L52: path.join(os.homedir(), ".codex", "skills", "specsync"),
L53: path.join(os.homedir(), ".config", "opencode", "skills", "specsync"),
...
L60: try {
L61: fs.mkdirSync(dir, { recursive: true });
L62: fs.writeFileSync(path.join(dir, "SKILL.md"), skill);
L63: console.log(`specsync: skill installed → ${dir}`);
...
L71:
Payload evidence from skills/specsync/SKILL.md:
L1: ---
L2: name: specsync
Critical
Ai Agent Control Hijack
Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L1Findings
1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings