registry  /  @appfire-ux/audit-agent  /  0.2026.70-2.1

@appfire-ux/audit-agent@0.2026.70-2.1

Claude Code UX audit agent for Appfire apps — installs the ux-auditor agent and /ux-audit command that audit a repo against @appfire-ux/guidelines

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code plants Claude Code agent and slash-command files into a consumer project .claude directory without an explicit user action. The planted agent has broad Bash/Write/WebFetch capabilities and instructs future npm installs/updates.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install of the package or explicit bin invocation
Impact
Consumer projects receive package-supplied AI-agent instructions that can later run privileged audit workflows and package installs inside the repo.
Mechanism
unconsented lifecycle mutation of Claude Code control surface
Policy narrative
On npm install, package.json runs bin/install.js. That script resolves the caller project via INIT_CWD/process.cwd and copies bundled Claude Code agent and command templates into .claude/agents and .claude/commands, or into ~/.claude with --global. The installed agent is product-aligned UX-audit content, but it is delivered through an npm lifecycle hook into a foreign AI-agent control surface and includes broad tool permissions plus instructions to run npm install/update/npx workflows.
Rationale
The concrete issue is not classic malware but lifecycle-triggered mutation of Claude Code control files in the consuming project, which the policy treats as blockable AI-agent control hijack. Product alignment and lack of exfiltration do not neutralize the unconsented install-time write into a foreign agent surface.
Evidence
package.jsonbin/install.jstemplates/agents/ux-auditor.mdtemplates/commands/ux-audit.mdscripts/ux-audit-capture.mjsREADME.md<project>/.claude/agents/ux-auditor.md<project>/.claude/commands/ux-audit.md~/.claude/agents/ux-auditor.md~/.claude/commands/ux-audit.md
Network endpoints3
registry.npmjs.org/github.com/fuegokit/appfire-ux-guidelineslocalhost:5173

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/install.js
  • bin/install.js copies templates into <INIT_CWD>/.claude/agents and .claude/commands during install
  • bin/install.js supports --global writing into ~/.claude
  • templates/agents/ux-auditor.md grants agent tools Read,Grep,Glob,Bash,Write,WebFetch
  • templates/agents/ux-auditor.md instructs npm install/update/npx @appfire-ux/guidelines from the agent
Evidence against
  • No credential harvesting or secret-specific collection found
  • No network code in install.js beyond package metadata registry URL
  • No eval/vm/dynamic code loading found
  • Install script only copies bundled template files
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 5.33 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem