registry  /  @fewbox/den  /  0.2.0-preview.61

@fewbox/den@0.2.0-preview.61

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package automatically modifies the consuming project's Claude skill directory. Existing files under `.claude/skills/` are overwritten without user consent.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install executes the package postinstall hook.
Impact
A package-supplied AI-agent instruction file is installed or replaced in a foreign project control surface.
Mechanism
postinstall template copy with forced `.claude/skills/` overwrite
Policy narrative
On installation, the postinstall script resolves the consumer project root from `INIT_CWD` or `cwd` and recursively copies package templates into it. The package includes a Claude skill template and explicitly force-overwrites `.claude/skills/` destinations, allowing an install to add or replace AI-agent instructions in the consuming project without an explicit user command.
Rationale
This is a concrete unconsented postinstall mutation of a foreign AI-agent control surface. The benign-looking skill content does not remove the automatic overwrite behavior.
Evidence
package.jsonscripts/copy-templates.jstemplates/.claude/skills/fewbox-den/SKILL.md.claude/skills/fewbox-den/SKILL.md

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/copy-templates.js` on `postinstall`.
  • `scripts/copy-templates.js` targets `INIT_CWD` or the current project root.
  • It recursively copies packaged templates into that project during install.
  • It force-overwrites paths under `.claude/skills/`.
  • `templates/.claude/skills/fewbox-den/SKILL.md` is dropped into the host project's Claude control surface.
Evidence against
  • The dropped skill declares only `Read, Grep, Glob` tools.
  • No network, credential harvesting, child-process, or remote payload behavior was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
MinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 130 KB of source, external domains: www.w3.org

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node scripts/copy-templates.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/copy-templates.jsView file
2Install-time AI-agent control hijack evidence: L4: L5: const OVERWRITE_LIST = [path.join('.claude', 'skills') + path.sep]; L6: L7: const copyFolderAsync = (source, target, rootSource) => { L8: fs.mkdirSync(target, { recursive: true }); L9: const entries = fs.readdirSync(source, { withFileTypes: true }); ... L25: } L26: fs.copyFileSync(srcPath, destPath); L27: } Payload evidence from templates/.claude/skills/fewbox-den/SKILL.md: L2: name: fewbox-den L3: description: Use when writing React UI with the fewbox-den component library. Provides component API reference for layouts (X/Y/S series), views (VLabel, VForm, VInput, etc.), netw... L4: allowed-tools: Read, Grep, Glob ... L826: handleSubmit={(data) => { L827: // data is automatically converted from FormData to nested JSON L828: // e.g., { form: { username: "value", password: "value" } } ... L1066: L1067: // File with base64 output L1068: <VBase64File ... L1442: handleNetworkError: (error) => console.error('Network error:', error), L1443: isDebug: process.env.NODE_ENV === 'development' L1444: });
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/copy-templates.jsView on unpkg · L2

Findings

2 Critical1 High2 Medium3 Low
CriticalAi Agent Control Hijackscripts/copy-templates.js
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings