AI Security Review
scanned 11h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time code mutates a foreign AI-agent control surface in the consuming project. It replaces matching Claude skill directories with package-controlled instructions without user action.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation triggers the `postinstall` lifecycle hook.
Impact
An installed dependency can alter Claude's available skills and their operational instructions for the consuming project.
Mechanism
Force-delete and copy package-supplied skills into the consumer's `.claude/skills` directory.
Policy narrative
On installation, the package's `postinstall.mjs` traverses from its own directory to the consumer project root, deletes named directories under `.claude/skills`, and replaces them with package-owned Claude skill definitions. This unconsented lifecycle mutation changes a foreign AI-agent control surface and can influence future agent actions in the project.
Rationale
The concrete postinstall overwrite of consumer `.claude/skills` meets the blocking policy for unconsented mutation of a foreign/broad AI-agent control surface. No separate exfiltration chain is required for this verdict.
Evidence
package.jsonpostinstall.mjsagents/claude/evoke-analytics-auditor/SKILL.mdagents/claude/evoke-page-manager/SKILL.mdagents/claude/evoke-veeva-config-manager/SKILL.md.claude/skills/evoke-analytics-auditor.claude/skills/evoke-page-manager.claude/skills/evoke-veeva-config-manager
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- `package.json` runs `node postinstall.mjs` automatically on install.
- `postinstall.mjs` resolves the consuming project root and targets `.claude/skills`.
- `postinstall.mjs` force-removes each existing matching skill directory before copying package-controlled replacements.
- Package-supplied `agents/claude/*/SKILL.md` files contain AI-agent instructions and MCP/tool-use workflows.
Evidence against
- No network, credential-harvesting, shell-execution, or remote-payload APIs were found in inspected runtime source.
- Other filesystem writes in `src/apps` and `src/tasks` are explicit project-generation/deployment functions, not import-time behavior.
Behavioral surface
CryptoFilesystem
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgpostinstall.mjsView file
1Install-time AI-agent control hijack evidence:
L1: import { cpSync, readdirSync, rmSync } from 'fs';
L2: import { join, dirname } from 'path';
...
L8: const projectRoot = join(__dirname, '..', '..', '..');
L9: const destDir = join(projectRoot, '.claude', 'skills');
L10: const src = join(__dirname, 'agents', 'claude');
...
L15: rmSync(skillDestDir, { recursive: true, force: true });
L16: cpSync(join(src, dir), skillDestDir, { recursive: true });
L17: }
Payload evidence from agents/claude/evoke-veeva-config-manager/SKILL.md:
L1: ---
L2: name: evoke-veeva-config-manager
Critical
Ai Agent Control Hijack
Install-time source drops package-supplied AI-agent/MCP control files or instructions.
postinstall.mjsView on unpkg · L1Findings
1 Critical1 High2 Medium3 Low
CriticalAi Agent Control Hijackpostinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem