registry  /  @gallopsystems/agent-skills  /  1.22.0

@gallopsystems/agent-skills@1.22.0

Gallop Systems agent skills, symlinked into .claude/skills (Claude Code) and .agents/skills (Codex) on install.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Confirmed install-time mutation of AI-agent control directories. The package drops skills/plugins/commands into ~/.codex during npm postinstall, creating an unconsented agent control-surface change.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @gallopsystems/agent-skills@1.22.0
Impact
Unconsented installation of AI-agent instructions/tools that can affect later Codex behavior
Mechanism
postinstall copies package-supplied Codex commands/plugins into user ~/.codex
Policy narrative
On npm install, package.json runs scripts/link-skills.mjs. That script resolves the user's home directory and installs package-provided commands and plugins into ~/.codex/commands and ~/.codex/plugins by copying or symlinking them. Those are AI-agent control-surface files, and the mutation occurs as a lifecycle side effect rather than an explicit user-invoked setup command.
Rationale
The package's primary payload is agent skill/plugin material, but installing it automatically into ~/.codex during postinstall is an unconsented AI-agent control-surface mutation. Runtime Linear API access appears aligned and user-invoked, so the block is based on lifecycle control-surface writes, not data exfiltration. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/link-skills.mjsplugins/linear/skills/linear/bin/linear.mjs~/.codex/commands~/.codex/plugins
Network endpoints1
api.linear.app/graphql

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/link-skills.mjs
  • scripts/link-skills.mjs copies package commands/plugins into ~/.codex by default during install
  • scripts/link-skills.mjs writes ~/.codex/commands and ~/.codex/plugins control-surface files without an explicit user command
  • plugins/linear/skills/linear/bin/linear.mjs sends GraphQL requests to https://api.linear.app/graphql only when invoked with LINEAR_API_KEY
Evidence against
  • No obfuscation, eval/vm/Function, native binary, or dynamic remote code loading found in searched source
  • Linear network use is package-aligned and user-invoked, not install-time exfiltration
  • No credential harvesting beyond reading LINEAR_API_KEY for Linear API authorization
  • No destructive file operations found; unlink mode removes only installed links/copies under ~/.codex
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 25 file(s), 157 KB of source, external domains: api.linear.app, linear.app

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/link-skills.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
plugins/linear/skills/linear/bin/linear.mjsView file
11// Recommended: add `export LINEAR_API_KEY=lin_api_xxx` to ~/.zshenv (zsh) or L12: // ~/.bashrc (bash) so it's available in every shell — including the L13: // non-interactive ones spawned by Claude Code. ... L23: import { createInterface } from "node:readline/promises"; L24: import { stdin as input, stdout as output } from "node:process"; L25: L26: const API_URL = "https://api.linear.app/graphql"; L27: const API_KEY = process.env.LINEAR_API_KEY; L28: const WORKSPACE_FILE = L29: process.env.LINCTL_WORKSPACE_FILE || L30: join(homedir(), ".config", "linctl", "workspace.json"); L31:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

plugins/linear/skills/linear/bin/linear.mjsView on unpkg · L11
scripts/link-skills.mjsView file
5Install-time AI-agent control hijack evidence: L5: // L6: // skills -> .claude/skills/<name> (Claude Code; a dir with SKILL.md) L7: // skills -> .agents/skills/<name> (Codex; same SKILL.md format) L8: // commands -> .claude/commands/<rel>.md (Claude Code only; a .md under commands/) L9: // ... L28: const UNLINK = process.argv.includes('--unlink') L29: const SKIP_DIRS = new Set(['node_modules', '.git', '.claude']) L30: ... L44: // or the workspace root in a monorepo, which is exactly where the shared L45: // .claude directory should live. Fall back to climbing out of node_modules. L46: function resolveProjectRoot() { ... L181: // Nothing to link: only tidy up previously-created links (if the dir exists), Payload evidence from plugins/contribute-skill/skills/contribute-skill/SKILL.md: L9: You are turning something learned in this session into a PR against L10: https://github.com/gallop-systems/agent-skills, the public repo behind the L11: installed skills.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/link-skills.mjsView on unpkg · L5

Findings

1 Critical1 High4 Medium5 Low
CriticalAi Agent Control Hijackscripts/link-skills.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceplugins/linear/skills/linear/bin/linear.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License