registry  /  @atrorg/skillshub  /  0.1.1

@atrorg/skillshub@0.1.1

CLI for SkillsHub - AI agent skill marketplace

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `skillshub install <slug>` or `skillshub update <slug>`.
Impact
A user-selected marketplace skill can influence an AI agent in the current project.
Mechanism
Fetch remote skill metadata and write generated agent instruction files.
Rationale
The package is not concretely malicious: it has no lifecycle hook or hidden execution/exfiltration path. Its explicit remote-to-agent-instruction write capability warrants a warning for downstream review of marketplace content.
Evidence
package.jsonsrc/index.tssrc/lib/api.tssrc/lib/config.tssrc/lib/agents.tssrc/commands/install.tssrc/commands/update.tssrc/commands/remove.ts~/.skillshubrc.json.claude/skills/{slug}/SKILL.md.opencode/skills/{slug}/SKILL.md.codex/skills/{slug}/SKILL.md.cursor/skills/{slug}/SKILL.md.github/copilot-instructions.md
Network endpoints1
127.0.0.1:8000

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `install`/`update` fetch skill metadata then write agent instruction files.
  • Writes into `.claude`, `.opencode`, `.codex`, `.cursor`, or `.github` under the invoked working directory.
  • Fetched `long_description`/`description` becomes `SKILL.md` content for AI agents.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • CLI actions require explicit user commands; import only registers commands.
  • Default API endpoint is local `http://127.0.0.1:8000`; configured URLs are limited to HTTP(S).
  • No child-process, shell, eval, native loading, or credential-file harvesting found.
  • Removal only unlinks a previously recorded installed skill path.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 16 file(s), 37.5 KB of source, external domains: 127.0.0.1

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

5 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License