registry  /  @appfire-ux/audit-agent  /  0.20260702.0

@appfire-ux/audit-agent@0.20260702.0

Claude Code audit agents for Appfire apps — installs ux-auditor (/ux-audit: guideline compliance) and ui-auditor (/ui-audit: UI consistency, IA, interaction design), auditing against @appfire-ux/guidelines

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code plants Claude Code agents and slash commands into a broad/foreign AI-agent control surface. The content is product-aligned, but delivery is automatic through npm postinstall.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; npx/bin invocation can also run bin/install.js
Impact
Adds package-supplied Claude Code agents and slash commands in the user's project or home Claude config, influencing future AI-agent behavior over repositories.
Mechanism
unconsented lifecycle write to Claude Code .claude agents/commands
Policy narrative
During npm postinstall, bin/install.js resolves the target to INIT_CWD/.claude for normal installs or ~/.claude for --global, creates agents and commands directories, and copies bundled Claude Code prompt files there, overwriting existing files. This gives the package lifecycle a path to mutate Claude Code's control surface outside the package directory without an explicit install-time consent step.
Rationale
Static inspection confirms automatic lifecycle mutation of Claude Code .claude agents/commands, which is a foreign/broad AI-agent control surface. Even though no exfiltration, remote code, or malicious prompt content was found, the unconsented lifecycle delivery is blockable under the provided policy.
Evidence
package.jsonbin/install.jstemplates/agents/ui-auditor.mdtemplates/agents/ux-auditor.mdtemplates/commands/ui-audit.mdtemplates/commands/ux-audit.md$INIT_CWD/.claude/agents/*$INIT_CWD/.claude/commands/*~/.claude/agents/*~/.claude/commands/*templates/agents/*templates/commands/*

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/install.js and bin points to same installer
  • bin/install.js computes targetRoot as ~/.claude for global installs or INIT_CWD/.claude for local installs
  • bin/install.js recursively copies templates/agents and templates/commands into that Claude directory
  • installer overwrites existing files and runs automatically as npm lifecycle
Evidence against
  • No network client, fetch, http, or package endpoint use found in inspected source
  • No child_process, eval/vm/Function, native addon, binary loading, or obfuscated payload found
  • No credential harvesting or secret environment enumeration found beyond INIT_CWD/npm install context
  • Bundled agent/command prompts appear product-aligned UX/UI audit content rather than exfiltration instructions
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 5.73 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings