AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `skeleton init` command writes first-party hook entries into supported AI-agent configuration files and invokes a package-owned hook on read events. No automatic install-time execution or confirmed exfiltration is present.
Decision evidence
public snapshot- `dist/cli.js` `init` merges hooks into `.cursor`, `.claude`, and existing `.codex` configs.
- `dist/cli.js` runs `npx skills add csark0812/skeleton` during explicit `skeleton init`.
- Installed hooks execute `dist/hooks/customize-on-skill-read.js` after agent read events.
- `package.json` contains no `preinstall`, `install`, or `postinstall` hook.
- Hook code reads stdin and project `.skeleton/customize` content; no runtime network calls found.
- No credential-harvesting paths or exfiltration calls found.
- `spawnSync("git", ...)` is limited to local audit metadata; `npx` uses `shell:false`.
Source & flagged code
3 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.jsView on unpkg · L1209Package source references a known benign dynamic code generation pattern.
dist/hooks/customize-on-skill-read.jsView on unpkg · L2866