AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package has an install-time hook that plants bundled Claude Code skills into the user's Claude configuration when Claude is detected. This mutates a foreign AI-agent control surface during npm install without user consent.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall when claude is in PATH or ~/.claude exists
Impact
Package-supplied instructions become available to Claude Code and can influence future agent behavior outside the npm package boundary.
Mechanism
unconsented lifecycle write to Claude Code skills
Attack narrative
On installation, npm runs scripts/runPostinstall.mjs, which executes dist/scripts/postinstall.js. If Claude Code is detectable, the script creates or updates many ~/.claude/skills directories with package-bundled SKILL.md files and hash markers. Although the content appears Frontline-aligned, the delivery is automatic lifecycle mutation of Claude's agent instruction surface rather than an explicit setup action.
Rationale
Source inspection confirms unconsented postinstall writes into ~/.claude/skills, which the policy treats as blockable AI-agent control hijack even when the planted instructions are product-aligned. No classic exfiltration was found, but the lifecycle-triggered foreign agent control-surface mutation is sufficient for a malicious verdict.
Evidence
package.jsonscripts/runPostinstall.mjsdist/scripts/postinstall.jsdist/commands/setup/claudeSkills.jsdist/skills/frontline-api/SKILL.mddist/skills/max-auth/SKILL.mddist/lib/config.jsdist/lib/updateCheck.jsdist/skills/*/SKILL.md~/.claude/skills/*/SKILL.md~/.claude/skills/*/.frontline-hash
Network endpoints5
prod-api.getfrontline.ai/public/v1registry.npmjs.org/@getfrontline/cli/latestdocs.getfrontline.ai/docsdocs.getfrontline.ai/clihelp.getfrontline.ai
Decision evidence
public snapshotAI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
- package.json defines postinstall: node ./scripts/runPostinstall.mjs
- scripts/runPostinstall.mjs spawns dist/scripts/postinstall.js during npm install
- dist/scripts/postinstall.js detects Claude via claude --version or ~/.claude presence
- dist/scripts/postinstall.js writes bundled dist/skills/*/SKILL.md into ~/.claude/skills with .frontline-hash
- Lifecycle delivery targets Claude Code skills, a foreign AI-agent control surface, without explicit user invocation
Evidence against
- Skill contents inspected are product-aligned Frontline/Max CLI instructions, not classic credential exfiltration payloads
- Writes use hash checks to avoid overwriting customized existing skills
- A user-invoked setup command also exists for explicit Claude skill installation
- CLI network use is package-aligned Frontline API and npm update checking
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/runPostinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High3 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings