registry  /  @glitches/skills  /  1.5.1-5.1

@glitches/skills@1.5.1-5.1

The open agent skills ecosystem

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `skills add`, `update`, `experimental_sync`, or another mutating CLI command.
Impact
A user-selected remote skill can be placed where a selected AI agent loads skills; telemetry discloses limited CLI metadata unless opted out.
Mechanism
Explicit CLI-managed agent skill copy/symlink and context-link setup.
Rationale
The scanner's child-process, network, and filesystem signals correspond to documented CLI behavior rather than an install-time or stealthy malicious chain. Flag as warning because explicit commands place remote instruction content into AI-agent load paths and emit opt-out telemetry.
Evidence
package.jsonbin/cli.mjsdist/cli.mjsREADME.mdskills-lock.json.gitignore.agents/skillsagent-specific skill directoriesagent context-file symlinks
Network endpoints4
add-skill.vercel.sh/tadd-skill.vercel.sh/auditapi.github.comskills.sh

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.mjs` installs user-selected skill content into agent skill directories and creates symlinks.
  • Explicit `add` flows can synchronize agent context-file links and append managed entries to `.gitignore`.
  • `dist/cli.mjs` sends opt-out telemetry containing command metadata, selected skills, and detected agent.
  • The manifest version is `1.5.15.1`, inconsistent with the reviewed package-version label.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `bin/cli.mjs` only enables Node compile cache then imports `dist/cli.mjs`.
  • All filesystem mutation is reached through explicit CLI commands such as `add`, `remove`, `init`, or `update`.
  • GitHub tokens are used only as Authorization for GitHub API tree requests; no token exfiltration endpoint is present.
  • No eval/vm/native payload loading, credential harvesting, destructive payload, or stealth persistence was confirmed.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 4 file(s), 649 KB of source, external domains: add-skill.vercel.sh, api.github.com, connectors-skills.zapier.com, example.com, github.com, gitlab.com, raw.githubusercontent.com, schemas.agentskills.io, skills.sh

Source & flagged code

3 flagged · loading source
dist/_chunks/libs/common.mjsView file
9import { Buffer as Buffer$1 } from "node:buffer"; L10: import { spawn } from "child_process"; L11: import { normalize as normalize$1 } from "node:path";
High
Child Process

Package source references child process execution.

dist/_chunks/libs/common.mjsView on unpkg · L9
dist/cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @glitches/skills@1.5.15 matchedIdentity = npm:QGdsaXRjaGVzL3NraWxscw:1.5.15 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.mjsView on unpkg
12Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/common.mjs; helper contains network access plus dynamic code execution. L12: import { promisify } from "util"; L13: import { execFile, execSync, spawn, spawnSync } from "child_process"; L14: import { access, chmod, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises"; L15: import { createHash as createHash$1 } from "crypto"; L16: import { gunzipSync, inflateRawSync } from "node:zlib"; L17: var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1); ... L34: } L35: if (!parsed.url.startsWith("http://") && !parsed.url.startsWith("https://")) return null; L36: try { ... L50: } L51: async function isRepoPrivate(owner, repo) { L52: try {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L12

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
HighChild Processdist/_chunks/libs/common.mjs
HighShell
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings