registry  /  @easbot/skills  /  0.2.49

@easbot/skills@0.2.49

Skills management system for EAS Agent ecosystem (add / remove / list / find / update / sync / use)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs easbot skills add/use/remove/update/sync or calls exported APIs.
Impact
Can change agent skill behavior when the user installs remote/local skills; no unconsented install-time mutation found.
Mechanism
explicit skill installation/removal, GitHub/well-known downloads, telemetry/audit/search requests, optional agent spawn
Rationale
Source inspection shows a documented skills package with user-invoked agent skill installation and telemetry/network operations, but no npm lifecycle hooks or stealth execution. Because it mutates broad AI-agent control surfaces only through explicit commands, warn rather than block.
Evidence
package.jsonREADME.en.mddist/index.cjsdist/index.mjsdist/chunks/chunk-EOOPF3RI.cjsdist/chunks/chunk-MH2XZDJ5.mjs.agents/skillsskills-lock.json.skill-lock.json.codex/skills.claude/skills.config/easbot/skillstmpdir/skills-use-*
Network endpoints6
add-skill.vercel.sh/tadd-skill.vercel.sh/auditskills.shapi.github.com/repos/raw.githubusercontent.com/connectors-skills.zapier.com/download/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.cjs exports add/remove/update/use flows that install or remove SKILL.md content for many agent directories including codex and claude-code.
  • dist/index.cjs uses child_process.spawn only in user-invoked skills use to launch claude/codex with generated prompt content.
  • dist/index.cjs and chunks call telemetry/audit/search/download endpoints and GitHub APIs during user commands.
  • dist/index.cjs reads GITHUB_TOKEN/GH_TOKEN or runs gh auth token for GitHub rate-limit fallback.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • README.en.md describes a skills management CLI/library; suspicious primitives align with cloning, installing, finding, updating, and removing skills.
  • dist/index.cjs path writes are bounded by path traversal checks before copying/symlinking/removing skill files.
  • Well-known archive extraction rejects unsafe paths, links, encrypted zip entries, oversized archives, and missing root SKILL.md.
  • No static evidence of credential harvesting, arbitrary remote payload execution at install/import time, persistence, or destructive behavior outside explicit skill management commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 323 KB of source, external domains: add-skill.vercel.sh, api.github.com, connectors-skills.zapier.com, example.com, github.com, gitlab.com, raw.githubusercontent.com, schemas.agentskills.io, skills.sh

Source & flagged code

3 flagged · loading source
dist/index.cjsView file
1'use strict';var chunkEOOPF3RI_cjs=require('./chunks/chunk-EOOPF3RI.cjs'),fs$1=require('fs'),path=require('path'),xdgBasedir=require('xdg-basedir'),os$1=require('os'),promises=requ... L2: `;await promises.writeFile(s,o,"utf-8");}async function Fe(t){let e=[];await cl(t,t,e),e.sort((n,l)=>n.relativePath.localeCompare(l.relativePath));let s=crypto.createHash("sha256")...
High
Child Process

Package source references child process execution.

dist/index.cjsView on unpkg · L1
1'use strict';var chunkEOOPF3RI_cjs=require('./chunks/chunk-EOOPF3RI.cjs'),fs$1=require('fs'),path=require('path'),xdgBasedir=require('xdg-basedir'),os$1=require('os'),promises=requ... L2: `;await promises.writeFile(s,o,"utf-8");}async function Fe(t){let e=[];await cl(t,t,e),e.sort((n,l)=>n.relativePath.localeCompare(l.relativePath));let s=crypto.createHash("sha256")... ... L5: --- L6: ${s.replace(/^\r?\n/u,"")}`}async function ms(t,e,s){await promises.mkdir(e,{recursive:true});let n=await promises.readdir(t,{withFileTypes:true});await Promise.all(n.filter(l=>!To... L7: `)+`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.cjsView on unpkg · L1
1'use strict';var chunkEOOPF3RI_cjs=require('./chunks/chunk-EOOPF3RI.cjs'),fs$1=require('fs'),path=require('path'),xdgBasedir=require('xdg-basedir'),os$1=require('os'),promises=requ... L2: `;await promises.writeFile(s,o,"utf-8");}async function Fe(t){let e=[];await cl(t,t,e),e.sort((n,l)=>n.relativePath.localeCompare(l.relativePath));let s=crypto.createHash("sha256")... ... L5: --- L6: ${s.replace(/^\r?\n/u,"")}`}async function ms(t,e,s){await promises.mkdir(e,{recursive:true});let n=await promises.readdir(t,{withFileTypes:true});await Promise.all(n.filter(l=>!To... L7: `)+`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.cjsView on unpkg · L1

Findings

4 High2 Medium4 Low
HighChild Processdist/index.cjs
HighShell
HighSame File Env Network Executiondist/index.cjs
HighCommand Output Exfiltrationdist/index.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings