AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `skeleton init` installs project-local AI-agent read hooks. The hook injects local customization files into matching skill/read events; no exfiltration or remote payload path was confirmed.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `skeleton init`; `--skills` additionally opts into an `npx` skill-install command.
Impact
Can alter agent context in the initialized project when configured hooks run.
Mechanism
Project-local agent hook setup and local context injection.
Rationale
Source inspection confirms an explicit CLI-driven agent-hook lifecycle risk, not concrete malicious behavior. Downgrade to warn because the capability modifies AI-agent control surfaces only on user invocation and has no confirmed exfiltration or install-time mutation.
Evidence
package.jsondist/cli.jsdist/hooks/customize-on-skill-read.jstemplates/skeleton-init/cursor-hooks.fragment.jsontemplates/skeleton-init/claude-settings.fragment.jsontemplates/skeleton-init/codex-hooks.fragment.json.cursor/hooks.json.claude/settings.json.codex/hooks.json.skeleton/config.yaml.skeleton/registry.md
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.js` `skeleton init` writes Cursor and Claude hook configs and, when present, Codex hooks.
- Installed hook commands execute `dist/hooks/customize-on-skill-read.js` after skill/read tool events.
- Hook reads stdin and local `.skeleton/customize` content, then injects it as agent context.
- `init --skills` explicitly launches `npx skills add csark0812/skeleton` with user-controlled flags.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- Hook configuration is only written by explicit `skeleton init`, not package installation or import.
- No package logic uses `fetch`, HTTP clients, sockets, or credential/environment harvesting.
- Child processes are limited to explicit CLI actions: `git`, validation tools, and opt-in `npx`; shell execution is disabled for `npx`.
- `new Function` appears in bundled Ajv schema-validation code, not package-specific payload execution.
Behavioral surface
ChildProcessEnvironmentVarsEvalFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/cli.jsView file
17291// src/audit/core/git-meta.ts
L17292: import { spawnSync } from "node:child_process";
L17293: function lastGitCommitDate(relPath2, root) {
High
1209Cross-file remote execution chain: dist/cli.js spawns dist/hooks/customize-on-skill-read.js; helper contains network access plus dynamic code execution.
L1209: var names = {
L1210: data: new codegen_1.Name("data"),
L1211: valCxt: new codegen_1.Name("valCxt"),
...
L2196: id = normalizeId(id);
L2197: return resolver.resolve(baseId, id);
L2198: }
...
L3044: for (i = 0;i < input.length; i++) {
L3045: code = input[i].charCodeAt(0);
L3046: if (code === 48) {
...
L11183: *next(token) {
L11184: if (node_process.env.LOG_STREAM)
L11185: console.dir(token, { depth: null });
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.jsView on unpkg · L1209dist/hooks/customize-on-skill-read.jsView file
2866sourceCode = this.opts.code.process(sourceCode, sch);
L2867: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
L2868: const validate = makeValidate(this, this.scope.get());
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/hooks/customize-on-skill-read.jsView on unpkg · L2866Findings
3 High1 Medium5 Low
HighChild Processdist/cli.js
HighShell
HighCross File Remote Execution Contextdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowEvaldist/hooks/customize-on-skill-read.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings