AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `skillshub install <slug>` or `skillshub update <slug>`.
Impact
A user-selected marketplace skill can influence an AI agent in the current project.
Mechanism
Fetch remote skill metadata and write generated agent instruction files.
Rationale
The package is not concretely malicious: it has no lifecycle hook or hidden execution/exfiltration path. Its explicit remote-to-agent-instruction write capability warrants a warning for downstream review of marketplace content.
Evidence
package.jsonsrc/index.tssrc/lib/api.tssrc/lib/config.tssrc/lib/agents.tssrc/commands/install.tssrc/commands/update.tssrc/commands/remove.ts~/.skillshubrc.json.claude/skills/{slug}/SKILL.md.opencode/skills/{slug}/SKILL.md.codex/skills/{slug}/SKILL.md.cursor/skills/{slug}/SKILL.md.github/copilot-instructions.md
Network endpoints1
127.0.0.1:8000
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- Explicit `install`/`update` fetch skill metadata then write agent instruction files.
- Writes into `.claude`, `.opencode`, `.codex`, `.cursor`, or `.github` under the invoked working directory.
- Fetched `long_description`/`description` becomes `SKILL.md` content for AI agents.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- CLI actions require explicit user commands; import only registers commands.
- Default API endpoint is local `http://127.0.0.1:8000`; configured URLs are limited to HTTP(S).
- No child-process, shell, eval, native loading, or credential-file harvesting found.
- Removal only unlinks a previously recorded installed skill path.
Behavioral surface
EnvironmentVarsFilesystemNetwork
UrlStrings
NoLicense
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
5 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License