AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code plants Claude Code agent and slash-command files into a consumer project .claude directory without an explicit user action. The planted agent has broad Bash/Write/WebFetch capabilities and instructs future npm installs/updates.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install of the package or explicit bin invocation
Impact
Consumer projects receive package-supplied AI-agent instructions that can later run privileged audit workflows and package installs inside the repo.
Mechanism
unconsented lifecycle mutation of Claude Code control surface
Policy narrative
On npm install, package.json runs bin/install.js. That script resolves the caller project via INIT_CWD/process.cwd and copies bundled Claude Code agent and command templates into .claude/agents and .claude/commands, or into ~/.claude with --global. The installed agent is product-aligned UX-audit content, but it is delivered through an npm lifecycle hook into a foreign AI-agent control surface and includes broad tool permissions plus instructions to run npm install/update/npx workflows.
Rationale
The concrete issue is not classic malware but lifecycle-triggered mutation of Claude Code control files in the consuming project, which the policy treats as blockable AI-agent control hijack. Product alignment and lack of exfiltration do not neutralize the unconsented install-time write into a foreign agent surface.
Evidence
package.jsonbin/install.jstemplates/agents/ux-auditor.mdtemplates/commands/ux-audit.mdscripts/ux-audit-capture.mjsREADME.md<project>/.claude/agents/ux-auditor.md<project>/.claude/commands/ux-audit.md~/.claude/agents/ux-auditor.md~/.claude/commands/ux-audit.md
Network endpoints3
registry.npmjs.org/github.com/fuegokit/appfire-ux-guidelineslocalhost:5173
Decision evidence
public snapshotAI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json defines postinstall: node bin/install.js
- bin/install.js copies templates into <INIT_CWD>/.claude/agents and .claude/commands during install
- bin/install.js supports --global writing into ~/.claude
- templates/agents/ux-auditor.md grants agent tools Read,Grep,Glob,Bash,Write,WebFetch
- templates/agents/ux-auditor.md instructs npm install/update/npx @appfire-ux/guidelines from the agent
Evidence against
- No credential harvesting or secret-specific collection found
- No network code in install.js beyond package metadata registry URL
- No eval/vm/dynamic code loading found
- Install script only copies bundled template files
Behavioral surface
EnvironmentVarsFilesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node bin/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node bin/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem