AI Security Review
scanned 1h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `social-hub skills install`/`update`, or supplies `--yes` for non-interactive execution.
Impact
Bundled Social Hub instructions can be placed in agent skill directories; existing unmanaged skill directories are protected unless `--force` is supplied.
Mechanism
Explicit AI-agent skill deployment with managed-directory replacement.
Rationale
Not malicious by source inspection, but it has a real explicit AI-agent control-surface write capability. Downgrade to warn under the firewall policy for user-command agent configuration mutation.
Evidence
package.jsonpostinstall-guard.cjsdist/postinstall.jsdist/register-skills.jsdist/skills/agent-targets.jsdist/skills/install-planner.jsdist/skills/installer.js~/.codex/skills~/.cursor/skills~/.claude/skills
Network endpoints3
redd.eclick-geo.com/apiregistry.npmjs.orgcodeload.github.com
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/skills/installer.js` copies or symlinks bundled skills into agent skill directories and removes managed target directories during update/remove.
- `dist/skills/agent-targets.js` includes global and project paths for Codex, Cursor, Claude Code, and other agents.
- `dist/register-skills.js` can auto-detect installed agents and install skills after an interactive confirmation or `--yes`.
Evidence against
- `postinstall-guard.cjs` only loads `dist/postinstall.js`; it performs no agent-config or filesystem mutation.
- `dist/postinstall.js` only prints an opt-outable installation hint and exits in CI.
- `dist/skills/install-planner.js` skips unmanaged existing directories unless the user supplies `--force`.
- No obfuscated payload, shell-eval path, credential harvesting, or install-time network call was found in inspected package code.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall-guard.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgpostinstall-guard.cjsView file
5try {
L6: const fs = require("node:fs");
L7: const path = require("node:path");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
postinstall-guard.cjsView on unpkg · L5Findings
1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requirepostinstall-guard.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License