AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Installing the package automatically modifies the consuming project's Claude skill directory. Existing files under `.claude/skills/` are overwritten without user consent.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install executes the package postinstall hook.
Impact
A package-supplied AI-agent instruction file is installed or replaced in a foreign project control surface.
Mechanism
postinstall template copy with forced `.claude/skills/` overwrite
Policy narrative
On installation, the postinstall script resolves the consumer project root from `INIT_CWD` or `cwd` and recursively copies package templates into it. The package includes a Claude skill template and explicitly force-overwrites `.claude/skills/` destinations, allowing an install to add or replace AI-agent instructions in the consuming project without an explicit user command.
Rationale
This is a concrete unconsented postinstall mutation of a foreign AI-agent control surface. The benign-looking skill content does not remove the automatic overwrite behavior.
Evidence
package.jsonscripts/copy-templates.jstemplates/.claude/skills/fewbox-den/SKILL.md.claude/skills/fewbox-den/SKILL.md
Decision evidence
public snapshotAI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- `package.json` runs `node scripts/copy-templates.js` on `postinstall`.
- `scripts/copy-templates.js` targets `INIT_CWD` or the current project root.
- It recursively copies packaged templates into that project during install.
- It force-overwrites paths under `.claude/skills/`.
- `templates/.claude/skills/fewbox-den/SKILL.md` is dropped into the host project's Claude control surface.
Evidence against
- The dropped skill declares only `Read, Grep, Glob` tools.
- No network, credential harvesting, child-process, or remote payload behavior was found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
MinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts registry_only=start
Critical
Manifest Confusion
Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkg•scripts.postinstall = node scripts/copy-templates.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscripts/copy-templates.jsView file
2Install-time AI-agent control hijack evidence:
L4:
L5: const OVERWRITE_LIST = [path.join('.claude', 'skills') + path.sep];
L6:
L7: const copyFolderAsync = (source, target, rootSource) => {
L8: fs.mkdirSync(target, { recursive: true });
L9: const entries = fs.readdirSync(source, { withFileTypes: true });
...
L25: }
L26: fs.copyFileSync(srcPath, destPath);
L27: }
Payload evidence from templates/.claude/skills/fewbox-den/SKILL.md:
L2: name: fewbox-den
L3: description: Use when writing React UI with the fewbox-den component library. Provides component API reference for layouts (X/Y/S series), views (VLabel, VForm, VInput, etc.), netw...
L4: allowed-tools: Read, Grep, Glob
...
L826: handleSubmit={(data) => {
L827: // data is automatically converted from FormData to nested JSON
L828: // e.g., { form: { username: "value", password: "value" } }
...
L1066:
L1067: // File with base64 output
L1068: <VBase64File
...
L1442: handleNetworkError: (error) => console.error('Network error:', error),
L1443: isDebug: process.env.NODE_ENV === 'development'
L1444: });
Critical
Ai Agent Control Hijack
Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/copy-templates.jsView on unpkg · L2Findings
2 Critical1 High2 Medium3 Low
CriticalAi Agent Control Hijackscripts/copy-templates.js
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings