registry  /  @appfire-ux/audit-agent  /  0.20260702.3

@appfire-ux/audit-agent@0.20260702.3

Claude Code audit agents for Appfire apps — ux-auditor (/ux-audit), ui-auditor (/ui-audit), /full-audit parallel orchestration. Confluence-ready MD+HTML+PNG output, runtime capture scripts.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle mutates Claude Code control files by dropping package-supplied agents and commands. This changes AI-agent behavior without a separate explicit runtime invocation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or npm postinstall; npx with --global for home config
Impact
Claude Code command/agent behavior can be replaced with package-authored instructions that have Bash, Write, and WebFetch capability.
Mechanism
postinstall copies AI-agent control templates into .claude
Policy narrative
Installing the package automatically runs bin/install.js, which copies package-controlled Claude Code agent and command definitions into the consuming project’s .claude directory. Those definitions enable Bash, Write, and WebFetch and instruct future audit runs to execute npm/npx workflows and write reports/assets. The behavior is disclosed, but it is still an install-time mutation of an AI-agent control surface.
Rationale
Static inspection confirms unconsented lifecycle AI-agent control-surface mutation via postinstall writes to .claude, matching the firewall block boundary. No credential theft or network exfiltration was found, so the concrete threat is control-surface hijack rather than data exfiltration. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonbin/install.jstemplates/agents/ux-auditor.mdtemplates/agents/ui-auditor.mdtemplates/commands/full-audit.mdREADME.md<project>/.claude/agents/ux-auditor.md<project>/.claude/agents/ui-auditor.md<project>/.claude/commands/ux-audit.md<project>/.claude/commands/ui-audit.md<project>/.claude/commands/full-audit.md~/.claude/agents/*~/.claude/commands/*
Network endpoints2
registry.npmjs.org/github.com/fuegokit/appfire-ux-guidelines

Decision evidence

public snapshot
AI called this Malicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node bin/install.js
  • bin/install.js copies templates into project .claude/agents and .claude/commands during install
  • bin/install.js supports --global writes to ~/.claude
  • templates/agents/*.md grant Bash, Write, WebFetch tools and prescribe npm/npx commands
  • Installed agent instructions can later mutate repos and fetch/install packages
Evidence against
  • No credential harvesting or exfiltration code found
  • No package runtime network calls in bin/install.js
  • No eval/vm/Function or child_process use in installer
  • README discloses .claude install behavior
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 13.5 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install.jsView file
4Install-time AI-agent control hijack evidence: L4: * L5: * Copies templates/agents/* -> <target>/.claude/agents/ L6: * templates/commands/* -> <target>/.claude/commands/ L7: * L8: * Target resolution: L9: * --global | -g -> ~/.claude (available in every repo) L10: * default -> project root (INIT_CWD when run via npm postinstall, ... L29: const targetRoot = isGlobal L30: ? path.join(os.homedir(), '.claude') L31: : path.join(process.env.INIT_CWD || process.cwd(), '.claude'); L32: ... L42: if (!fs.existsSync(src)) return []; Payload evidence from templates/agents/ux-auditor.md: L27: - **HTML** — open in browser → ⌘A / Ctrl+A → copy → paste into Confluence L28: - **PNG** in `assets/` — separate files only; **never** base64 in MD/HTML L29: ... L48: L49: **ux-auditor** writes to `docs/audits/ux-audit/` (or user path). Use relative image paths in MD/HTML: `assets/dashboard-teams-1440w.png` — not `../prod-assets/`, not `data:image/..... L50: ... L89: > Żeby dokończyć audyt z pełnym visual evidence, podaj proszę: L90: > 1. URL (np. `https://…/dashboard`) gdzie jesteś zalogowany i widzisz pełny shell, **albo** L91: > 2. Dev command + port local…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install.jsView on unpkg · L4

Findings

1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackbin/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings