registry  /  @devalok/shilp-sutra  /  0.45.0

@devalok/shilp-sutra@0.45.0

Devalok Design System — accessible React components, OKLCH design tokens, and Tailwind 4 CSS-first setup. Ships with AI-agent setup recipes.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack was found. The remaining risk is a first-party AI-agent skill setup path: postinstall advertises it, and an explicit installer can write package instructions into ~/.claude/skills.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install for banner; explicit user execution of skill/install.sh for skill installation
Impact
Potential agent behavior influence only after explicit skill installation; no automatic foreign agent-control mutation observed.
Mechanism
guarded welcome banner plus user-invoked first-party agent skill installer
Rationale
Static inspection does not support the scanner's malicious verdict because the lifecycle hook is a guarded banner/sentinel writer with no exfiltration or automatic agent-control mutation. Because the package ships and promotes a first-party agent skill installer that writes to an agent extension directory when explicitly run, downgrade to warn rather than block.
Evidence
package.jsonscripts/welcome.mjsskill/install.shskill/SKILL.mddist/ui/index.jsREADME.mdAGENTS.mdnode_modules/.shilp-sutra-welcomed$HOME/.claude/skills/shilp-sutra
Network endpoints3
api.github.com/repos/devalok-design/shilp-sutra/git/trees/$BRANCH?recursive=1raw.githubusercontent.com/devalok-design/shilp-sutra/$BRANCH/$pathshilp-sutra.devalok.in/themer

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/welcome.mjs || true
  • scripts/welcome.mjs writes a version sentinel at node_modules/.shilp-sutra-welcomed
  • scripts/welcome.mjs prints instructions to copy package skill into ~/.claude/skills/shilp-sutra
  • skill/install.sh explicitly installs a first-party agent skill into $HOME/.claude/skills by default
  • skill/install.sh fetches package-owned skill files from GitHub when user runs it
Evidence against
  • postinstall has CI, non-TTY, silent loglevel, dev-install, and opt-out guards
  • postinstall only reads package.json and writes a local sentinel; it does not modify agent config
  • No credential harvesting, broad filesystem scan, or exfiltration found in inspected lifecycle code
  • Runtime dist/ui/index.js is a UI barrel with token-load warning only
  • Network use is limited to explicit user-run skill/install.sh and package-aligned GitHub/themer URLs
  • High-entropy blob is a normal .woff2 font asset
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 183 file(s), 1.53 MB of source, external domains: cdn.jsdelivr.net, player.vimeo.com, prosemirror.net, radix-ui.com, shilp-sutra.devalok.in, www.figma.com, www.loom.com, www.npmjs.com, www.w3.org, www.youtube.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/welcome.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/welcome.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/welcome.mjsView file
4Install-time AI-agent control hijack evidence: L27: L28: import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs' L29: import { dirname, join, resolve } from 'node:path' ... L102: try { L103: mkdirSync(dirname(sentinel), { recursive: true }) L104: writeFileSync(sentinel, version + '\n') L105: } catch { ... L186: lines.push(row(` ${colour('cp -r node_modules/@devalok/shilp-sutra/skill \\', DIM)}`)) L187: lines.push(row(` ${colour('~/.claude/skills/shilp-sutra', DIM)}`)) L188: lines.push(colour(EMPTY, PINK_DIM)) ... L209: ` ${colour('▸', PINK)} Theme: ${colour('https://shilp-sutra.devalok.in/themer', DIM)}`, L210: ` ${colour('▸', PINK)} AI: ${colour('cp -r node_modules/@devalok/shilp-sutra/skill ~/.claude/skills/shilp-sutra', DIM)}`, Payload evidence from skill/SKILL.md: L4: license: MIT L5: metadata: L6: version: "0.45.0" L7: author: Devalok Design & Strategy Studios L8: homepage: https://github.com/devalok-design/shilp-sutra L9: npm: https://www.npmjs.com/package/@devalok/shilp-sutra ... L19: - The user mentions `shilp-sutra`, `@devalok`, Devalok, or Devalok's design system. L20: - The project's `package.json` lists `@devalok/shilp-sutra` or `@dev…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/welcome.mjsView on unpkg · L4
skill/install.shView file
path = skill/install.sh kind = build_helper sizeBytes = 1903 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/install.shView on unpkg
fonts/Inter-Italic-Variable.woff2View file
path = fonts/Inter-Italic-Variable.woff2 kind = high_entropy_blob sizeBytes = 387976 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

fonts/Inter-Italic-Variable.woff2View on unpkg

Findings

1 Critical2 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/welcome.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobfonts/Inter-Italic-Variable.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperskill/install.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings