registry  /  @devalok/shilp-sutra  /  0.44.1

@devalok/shilp-sutra@0.44.1

Devalok Design System — accessible React components, OKLCH design tokens, and Tailwind 4 CSS-first setup. Ships with AI-agent setup recipes.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Install-time behavior is limited to a guarded welcome banner and version sentinel; optional agent skill installation is explicit user action.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; skill/install.sh only runs if the user invokes it
Impact
Install may print guidance and write a version marker under node_modules; no credential, network, persistence, or unconsented agent-control mutation confirmed.
Mechanism
welcome banner plus sentinel write; documented optional skill installer
Rationale
Static inspection shows the flagged lifecycle script is a guarded UX banner, while the AI-agent files are documentation/optional skill assets and are not written by postinstall. The risky primitives in the scanner output are package-aligned or user-invoked, with no concrete malicious behavior found.
Evidence
package.jsonscripts/welcome.mjsskill/install.shskill/SKILL.mdAGENTS.mddist/ui/index.jsnode_modules/.shilp-sutra-welcomed$INSTALL_DIR/shilp-sutra

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/welcome.mjs || true
  • scripts/welcome.mjs writes a benign sentinel node_modules/.shilp-sutra-welcomed during eligible TTY installs
  • skill/install.sh can overwrite an agent skill directory, but only when a user explicitly runs the installer
Evidence against
  • scripts/welcome.mjs only reads package.json/env/TTY state, prints setup text, and records the current version sentinel
  • postinstall has no network calls, child_process use, credential access, shell execution, or agent config writes
  • AGENTS.md and skill/SKILL.md are package-aligned design-system usage instructions, not hidden lifecycle mutation
  • skill/install.sh network access targets the package's GitHub repo and is documented/user-invoked, not run by npm install
  • dist/ui/index.js is a React component barrel with a browser-only CSS-token warning and no exfiltration behavior
  • bundled woff2 fonts are expected design-system assets
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 181 file(s), 1.53 MB of source, external domains: cdn.jsdelivr.net, player.vimeo.com, prosemirror.net, radix-ui.com, shilp-sutra.devalok.in, www.figma.com, www.loom.com, www.npmjs.com, www.w3.org, www.youtube.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/welcome.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/welcome.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/welcome.mjsView file
4Install-time AI-agent control hijack evidence: L27: L28: import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs' L29: import { dirname, join, resolve } from 'node:path' ... L102: try { L103: mkdirSync(dirname(sentinel), { recursive: true }) L104: writeFileSync(sentinel, version + '\n') L105: } catch { ... L186: lines.push(row(` ${colour('cp -r node_modules/@devalok/shilp-sutra/skill \\', DIM)}`)) L187: lines.push(row(` ${colour('~/.claude/skills/shilp-sutra', DIM)}`)) L188: lines.push(colour(EMPTY, PINK_DIM)) ... L209: ` ${colour('▸', PINK)} Theme: ${colour('https://shilp-sutra.devalok.in/themer', DIM)}`, L210: ` ${colour('▸', PINK)} AI: ${colour('cp -r node_modules/@devalok/shilp-sutra/skill ~/.claude/skills/shilp-sutra', DIM)}`, Payload evidence from skill/SKILL.md: L4: license: MIT L5: metadata: L6: version: "0.44.1" L7: author: Devalok Design & Strategy Studios L8: homepage: https://github.com/devalok-design/shilp-sutra L9: npm: https://www.npmjs.com/package/@devalok/shilp-sutra ... L19: - The user mentions `shilp-sutra`, `@devalok`, Devalok, or Devalok's design system. L20: - The project's `package.json` lists `@devalok/shilp-sutra` or `@dev…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/welcome.mjsView on unpkg · L4
skill/install.shView file
path = skill/install.sh kind = build_helper sizeBytes = 1903 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/install.shView on unpkg
fonts/Inter-Italic-Variable.woff2View file
path = fonts/Inter-Italic-Variable.woff2 kind = high_entropy_blob sizeBytes = 387976 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

fonts/Inter-Italic-Variable.woff2View on unpkg

Findings

1 Critical2 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/welcome.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobfonts/Inter-Italic-Variable.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperskill/install.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings