AI Security Review
scanned 5h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is established. An explicit `dxb init` can add a Doxbrix authoring skill under the initialized project's `.claude/skills` directory.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `dxb init` without `--no-claude-skill`.
Impact
The new project gains agent instructions that influence future Claude Code authoring behavior; no unconsented install-time mutation or exfiltration was found.
Mechanism
Explicit first-party Claude Code skill scaffolding.
Rationale
The package is not malicious by source inspection, but its default `init` behavior writes an AI-agent skill into `.claude/skills`. Per policy this is a warn-level first-party agent extension lifecycle risk, not a publish-block event.
Evidence
package.jsondist/commands/init.jsdist/lib/claude-skill.generated.jsdist/lib/config.jsdist/lib/docs/frontmatter.jsdist/cli.js.claude/skills/doxbrix-authoring/SKILL.md.claude/skills/doxbrix-authoring/blocks-cheatsheet.md
Network endpoints1
app.doxbrix.com
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/commands/init.js` scaffolds `.claude/skills/doxbrix-authoring` during `dxb init`; the option defaults to enabled.
- `dist/commands/init.js` writes `SKILL.md` and `blocks-cheatsheet.md` into the project agent-control directory.
- The generated skill instructs an AI agent to use Doxbrix tooling when project markers are present.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- The agent-skill write is reached only by the explicit user command `dxb init`, not import or installation.
- `dist/lib/claude-skill.generated.js` says not to publish or push without an explicit user request.
- No eval, dynamic loading, shell execution, credential harvesting, or direct network API use was found; remote operations go through the package-aligned SDK.
- `dist/lib/config.js` restricts token-bearing remote API origins to HTTPS, allowing HTTP only on loopback hosts.
- The flagged Unicode in `dist/lib/docs/frontmatter.js` is a BOM accepted/removed by frontmatter parsing, not a bidi control-flow disguise.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/lib/docs/frontmatter.jsView file
8contains invisible/control Unicode U+FEFF (zero width no-break space)
const FRONTMATTER_RE = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?/;
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/lib/docs/frontmatter.jsView on unpkg · L8•Trigger-reachable chain: manifest.bin -> dist/cli.js -> dist/commands/index.js -> dist/commands/import.js -> dist/lib/docs/frontmatter.js
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/lib/docs/frontmatter.jsView on unpkgFindings
2 Critical3 Medium4 Low
CriticalTrojan Source Unicodedist/lib/docs/frontmatter.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/docs/frontmatter.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings