registry  /  @appfire-ux/audit-agent  /  0.20260708.2

@appfire-ux/audit-agent@0.20260708.2

Claude Code audit agents for Appfire apps — ux-auditor (/ux-audit), ui-auditor (/ui-audit), a11y-auditor (/a11y-audit: WCAG 2.2 + axe-core scan feeding the Appfire VPAT/ACR process), /full-audit parallel orchestration. Confluence-ready MD+HTML+PNG output,

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package automatically mutates a Claude Code control surface during npm postinstall. It installs package-supplied agent and command files into the installing project .claude directory, with an option for ~/.claude.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install lifecycle postinstall or explicit bin invocation
Impact
Unconsented install-time modification of AI-agent commands available in the project or globally.
Mechanism
postinstall copies Claude Code agent/command templates
Policy narrative
Installing the package triggers npm postinstall, which runs bin/install.js. That script resolves the target to the installing project’s .claude directory by default, creates agents/ and commands/ directories, and copies bundled Claude Code agent and slash-command definitions there. This is disclosed and package-aligned, and no exfiltration or remote code payload is evident, but the mutation happens automatically during install against a broad AI-agent control surface.
Rationale
Source inspection confirms automatic postinstall writes into .claude, which meets the policy threshold for unconsented install-time AI-agent control-surface mutation. The behavior appears package-aligned and non-exfiltrating, but install-time agent command installation is enough to block under the stated boundary. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonbin/install.jstemplates/commands/ux-audit.mdtemplates/commands/ui-audit.mdtemplates/commands/a11y-audit.mdtemplates/commands/full-audit.mdscripts/ux-audit-capture.mjsscripts/a11y-audit-scan.mjsscripts/build-html-reports.mjstemplates/agents/*.mdtemplates/commands/*.md<project>/.claude/agents/*.md<project>/.claude/commands/*.md~/.claude/agents/*.md~/.claude/commands/*.md
Network endpoints1
registry.npmjs.org/

Decision evidence

public snapshot
AI called this Malicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/install.js
  • bin/install.js runs at install time and copies templates into <INIT_CWD|cwd>/.claude
  • bin/install.js also supports --global writes into ~/.claude
  • templates/commands/*.md create Claude slash commands /ux-audit, /ui-audit, /a11y-audit, /full-audit
Evidence against
  • No credential/env harvesting found beyond INIT_CWD target selection
  • No fixed exfiltration endpoint or remote payload download found
  • scripts only use Playwright/axe against user-supplied --url and write local audit outputs
  • README discloses .claude installation behavior
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 19.3 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install.jsView file
4Install-time AI-agent control hijack evidence: L4: * L5: * Copies templates/agents/* -> <target>/.claude/agents/ L6: * templates/commands/* -> <target>/.claude/commands/ L7: * L8: * Target resolution: L9: * --global | -g -> ~/.claude (available in every repo) L10: * default -> project root (INIT_CWD when run via npm postinstall, ... L29: const targetRoot = isGlobal L30: ? path.join(os.homedir(), '.claude') L31: : path.join(process.env.INIT_CWD || process.cwd(), '.claude'); L32: ... L42: if (!fs.existsSync(src)) return []; Payload evidence from templates/agents/ux-auditor.md: L45: - **HTML** — open in browser → ⌘A / Ctrl+A → copy → paste into Confluence L46: - **PNG** in `assets/` — separate files only; **never** base64 in MD/HTML L47: ... L70: L71: **ux-auditor** writes to `docs/audits/ux-audit/` (or user path). Use relative image paths in MD/HTML: `assets/dashboard-teams-1440w.png` — not `../prod-assets/`, not `data:image/..... L72: ... L113: > Żeby dokończyć audyt z pełnym visual evidence, podaj proszę: L114: > 1. URL (np. `https://…/dashboard`) gdzie jesteś zalogowany i widzisz pełny shell, **albo** L115: > 2. Dev command + port lo…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install.jsView on unpkg · L4

Findings

1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackbin/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings