AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs the `skills` CLI, particularly its default bootstrap or selected agent installation.
Impact
A user-approved command can alter agent-visible instructions and install externally fetched workflow skills.
Mechanism
Explicit agent-skill provisioning and managed instruction-file updates.
Rationale
No concrete malicious chain or unconsented install-time mutation is present. Warn because the CLI intentionally provisions broad agent instruction and skill surfaces, including external GitHub content, when invoked.
Evidence
package.jsonbin/skills.mjslib/install-policy.mjscatalog/sources.jsonAGENTS.md.github/copilot-instructions.md.agents/skills/*.claude/skills/*~/.agents/skills/*~/.claude/skills/*
Network endpoints1
github.com
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/skills.mjs` default bootstrap clones external GitHub skill sources.
- `bin/skills.mjs` writes project/global `.agents/skills` and `.claude/skills`.
- `bin/skills.mjs` updates `AGENTS.md` and `.github/copilot-instructions.md` after confirmation.
- `bin/skills.mjs` invokes `pi install` only for an explicit `--agent pi` selection.
Evidence against
- `package.json` defines no preinstall/install/postinstall lifecycle hook.
- Only executable is the user-invoked `bin/skills.mjs` CLI.
- No credential harvesting, exfiltration, eval, dynamic code loading, or hidden binary found.
- External source copies reject symlinks and protect unmanaged target directories unless `--force` is supplied.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcecatalog/skills/diagnosing-bugs/scripts/hitl-loop.template.shView file
•path = catalog/skills/diagnosing-bugs/scripts/hitl-loop.template.sh
kind = build_helper
sizeBytes = 1164
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
catalog/skills/diagnosing-bugs/scripts/hitl-loop.template.shView on unpkgFindings
3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helpercatalog/skills/diagnosing-bugs/scripts/hitl-loop.template.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings