registry  /  @inizioevoke/astro-core  /  3.0.1

@inizioevoke/astro-core@3.0.1

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package automatically mutates the consuming project's Claude agent skill directory. It deletes any existing skill directory with the package-selected name and replaces it with package-controlled instructions.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall during dependency installation
Impact
Package installation can alter Claude agent behavior in the consuming project without an explicit setup command.
Mechanism
Unconsented copy-and-replace of a foreign AI-agent control surface
Policy narrative
On installation, `postinstall.mjs` walks from the package directory to the consuming project, removes `.claude/skills/evoke-astro-core`, and copies the package's agent skill into that foreign control surface. This occurs automatically through `postinstall`, rather than through an explicit user setup action.
Rationale
The source confirms unconsented install-time mutation of the consuming project's `.claude` agent configuration. Although no exfiltration or remote execution was found, this meets the firewall block boundary for foreign AI-agent control-surface writes.
Evidence
package.jsonpostinstall.mjsagents/claude/evoke-astro-core/SKILL.md.claude/skills/evoke-astro-core

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node postinstall.mjs` on install.
  • `postinstall.mjs` resolves the consuming project root and targets `.claude/skills`.
  • Lifecycle code forcibly removes and replaces `.claude/skills/evoke-astro-core`.
  • It copies package-supplied agent instructions from `agents/claude` without user action.
Evidence against
  • `postinstall.mjs` uses only local filesystem APIs; no network or shell execution.
  • The dropped `SKILL.md` is package usage documentation, not credential or command-harvesting code.
  • PDF viewer network-like findings are browser PDF-link handling and bundled PDF.js, not install-time behavior.
  • No environment-variable harvesting, exfiltration, or remote payload loading found in inspected sources.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 1.66 MB of source, external domains: example.com, foo.bar, ns.adobe.com, pdfviewer.evo, www.w3.org, www.xfa.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/components/PdfViewer/pdf.worker.min.mjsView file
24* pdfjsBuild = 7e5b36c2d L25: */const e=!("object"!=typeof process||process+""!="[object process]"||process.versions.nw||process.versions.electron&&process.type&&"browser"!==process.type),t=[1/0,1/0,-1/0,-1/0],... L26: /*webpackIgnore: true*/
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/components/PdfViewer/pdf.worker.min.mjsView on unpkg · L24
postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L1: import { cpSync, readdirSync, rmSync } from 'fs'; L2: import { join, dirname } from 'path'; ... L8: const projectRoot = join(__dirname, '..', '..', '..'); L9: const destDir = join(projectRoot, '.claude', 'skills'); L10: const src = join(__dirname, 'agents', 'claude'); ... L15: rmSync(skillDestDir, { recursive: true, force: true }); L16: cpSync(join(src, dir), skillDestDir, { recursive: true }); L17: } Payload evidence from agents/claude/evoke-astro-core/SKILL.md: L198: L199: Custom event: `evopdfviewer-click` (fires when a custom `http://pdfviewer.evo` protocol link is clicked) L200:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

postinstall.mjsView on unpkg · L1

Findings

1 Critical1 High5 Medium5 Low
CriticalAi Agent Control Hijackpostinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiresrc/components/PdfViewer/pdf.worker.min.mjs
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings