registry  /  @csark0812/skeleton  /  1.1.3

@csark0812/skeleton@1.1.3

SSOT audit CLI for agent harness repos

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `skeleton init` command writes first-party hook entries into supported AI-agent configuration files and invokes a package-owned hook on read events. No automatic install-time execution or confirmed exfiltration is present.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `skeleton init`
Impact
Modifies project agent settings and can add local context to supported agent read events.
Mechanism
Explicit agent-hook configuration and local customization injection
Rationale
The package is not concretely malicious, but its explicit initialization configures AI-agent hooks and invokes an external skill-install command. Per policy, this first-party agent extension setup warrants a warning rather than a block.
Evidence
package.jsondist/cli.jsdist/hooks/customize-on-skill-read.jstemplates/skeleton-init/cursor-hooks.fragment.jsontemplates/skeleton-init/claude-settings.fragment.jsontemplates/skeleton-init/codex-hooks.fragment.json.cursor/hooks.json.claude/settings.json.codex/hooks.json.skeleton/config.yaml.skeleton/registry.md

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/cli.js` `init` merges hooks into `.cursor`, `.claude`, and existing `.codex` configs.
  • `dist/cli.js` runs `npx skills add csark0812/skeleton` during explicit `skeleton init`.
  • Installed hooks execute `dist/hooks/customize-on-skill-read.js` after agent read events.
Evidence against
  • `package.json` contains no `preinstall`, `install`, or `postinstall` hook.
  • Hook code reads stdin and project `.skeleton/customize` content; no runtime network calls found.
  • No credential-harvesting paths or exfiltration calls found.
  • `spawnSync("git", ...)` is limited to local audit metadata; `npx` uses `shell:false`.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.38 MB of source, external domains: json-schema.org, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
17291// src/audit/core/git-meta.ts L17292: import { spawnSync } from "node:child_process"; L17293: function lastGitCommitDate(relPath2, root) {
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L17291
1209Cross-file remote execution chain: dist/cli.js spawns dist/hooks/customize-on-skill-read.js; helper contains network access plus dynamic code execution. L1209: var names = { L1210: data: new codegen_1.Name("data"), L1211: valCxt: new codegen_1.Name("valCxt"), ... L2196: id = normalizeId(id); L2197: return resolver.resolve(baseId, id); L2198: } ... L3044: for (i = 0;i < input.length; i++) { L3045: code = input[i].charCodeAt(0); L3046: if (code === 48) { ... L11183: *next(token) { L11184: if (node_process.env.LOG_STREAM) L11185: console.dir(token, { depth: null });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L1209
dist/hooks/customize-on-skill-read.jsView file
2866sourceCode = this.opts.code.process(sourceCode, sch); L2867: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2868: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/hooks/customize-on-skill-read.jsView on unpkg · L2866

Findings

3 High1 Medium5 Low
HighChild Processdist/cli.js
HighShell
HighCross File Remote Execution Contextdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowEvaldist/hooks/customize-on-skill-read.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings