registry  /  @csark0812/skeleton  /  1.1.5

@csark0812/skeleton@1.1.5

SSOT audit CLI for agent harness repos

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `skeleton init` installs project-local AI-agent read hooks. The hook injects local customization files into matching skill/read events; no exfiltration or remote payload path was confirmed.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `skeleton init`; `--skills` additionally opts into an `npx` skill-install command.
Impact
Can alter agent context in the initialized project when configured hooks run.
Mechanism
Project-local agent hook setup and local context injection.
Rationale
Source inspection confirms an explicit CLI-driven agent-hook lifecycle risk, not concrete malicious behavior. Downgrade to warn because the capability modifies AI-agent control surfaces only on user invocation and has no confirmed exfiltration or install-time mutation.
Evidence
package.jsondist/cli.jsdist/hooks/customize-on-skill-read.jstemplates/skeleton-init/cursor-hooks.fragment.jsontemplates/skeleton-init/claude-settings.fragment.jsontemplates/skeleton-init/codex-hooks.fragment.json.cursor/hooks.json.claude/settings.json.codex/hooks.json.skeleton/config.yaml.skeleton/registry.md

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` `skeleton init` writes Cursor and Claude hook configs and, when present, Codex hooks.
  • Installed hook commands execute `dist/hooks/customize-on-skill-read.js` after skill/read tool events.
  • Hook reads stdin and local `.skeleton/customize` content, then injects it as agent context.
  • `init --skills` explicitly launches `npx skills add csark0812/skeleton` with user-controlled flags.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Hook configuration is only written by explicit `skeleton init`, not package installation or import.
  • No package logic uses `fetch`, HTTP clients, sockets, or credential/environment harvesting.
  • Child processes are limited to explicit CLI actions: `git`, validation tools, and opt-in `npx`; shell execution is disabled for `npx`.
  • `new Function` appears in bundled Ajv schema-validation code, not package-specific payload execution.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.38 MB of source, external domains: json-schema.org, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
17291// src/audit/core/git-meta.ts L17292: import { spawnSync } from "node:child_process"; L17293: function lastGitCommitDate(relPath2, root) {
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L17291
1209Cross-file remote execution chain: dist/cli.js spawns dist/hooks/customize-on-skill-read.js; helper contains network access plus dynamic code execution. L1209: var names = { L1210: data: new codegen_1.Name("data"), L1211: valCxt: new codegen_1.Name("valCxt"), ... L2196: id = normalizeId(id); L2197: return resolver.resolve(baseId, id); L2198: } ... L3044: for (i = 0;i < input.length; i++) { L3045: code = input[i].charCodeAt(0); L3046: if (code === 48) { ... L11183: *next(token) { L11184: if (node_process.env.LOG_STREAM) L11185: console.dir(token, { depth: null });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L1209
dist/hooks/customize-on-skill-read.jsView file
2866sourceCode = this.opts.code.process(sourceCode, sch); L2867: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2868: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/hooks/customize-on-skill-read.jsView on unpkg · L2866

Findings

3 High1 Medium5 Low
HighChild Processdist/cli.js
HighShell
HighCross File Remote Execution Contextdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowEvaldist/hooks/customize-on-skill-read.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings