AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time code plants Claude Code agents and slash commands into a broad/foreign AI-agent control surface. The content is product-aligned, but delivery is automatic through npm postinstall.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; npx/bin invocation can also run bin/install.js
Impact
Adds package-supplied Claude Code agents and slash commands in the user's project or home Claude config, influencing future AI-agent behavior over repositories.
Mechanism
unconsented lifecycle write to Claude Code .claude agents/commands
Policy narrative
During npm postinstall, bin/install.js resolves the target to INIT_CWD/.claude for normal installs or ~/.claude for --global, creates agents and commands directories, and copies bundled Claude Code prompt files there, overwriting existing files. This gives the package lifecycle a path to mutate Claude Code's control surface outside the package directory without an explicit install-time consent step.
Rationale
Static inspection confirms automatic lifecycle mutation of Claude Code .claude agents/commands, which is a foreign/broad AI-agent control surface. Even though no exfiltration, remote code, or malicious prompt content was found, the unconsented lifecycle delivery is blockable under the provided policy.
Evidence
package.jsonbin/install.jstemplates/agents/ui-auditor.mdtemplates/agents/ux-auditor.mdtemplates/commands/ui-audit.mdtemplates/commands/ux-audit.md$INIT_CWD/.claude/agents/*$INIT_CWD/.claude/commands/*~/.claude/agents/*~/.claude/commands/*templates/agents/*templates/commands/*
Decision evidence
public snapshotAI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json defines postinstall: node bin/install.js and bin points to same installer
- bin/install.js computes targetRoot as ~/.claude for global installs or INIT_CWD/.claude for local installs
- bin/install.js recursively copies templates/agents and templates/commands into that Claude directory
- installer overwrites existing files and runs automatically as npm lifecycle
Evidence against
- No network client, fetch, http, or package endpoint use found in inspected source
- No child_process, eval/vm/Function, native addon, binary loading, or obfuscated payload found
- No credential harvesting or secret environment enumeration found beyond INIT_CWD/npm install context
- Bundled agent/command prompts appear product-aligned UX/UI audit content rather than exfiltration instructions
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node bin/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node bin/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings