registry  /  @inizioevoke/veeva-astroclm-core  /  1.2.2

@inizioevoke/veeva-astroclm-core@1.2.2

AI Security Review

scanned 11h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates a foreign AI-agent control surface in the consuming project. It replaces matching Claude skill directories with package-controlled instructions without user action.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation triggers the `postinstall` lifecycle hook.
Impact
An installed dependency can alter Claude's available skills and their operational instructions for the consuming project.
Mechanism
Force-delete and copy package-supplied skills into the consumer's `.claude/skills` directory.
Policy narrative
On installation, the package's `postinstall.mjs` traverses from its own directory to the consumer project root, deletes named directories under `.claude/skills`, and replaces them with package-owned Claude skill definitions. This unconsented lifecycle mutation changes a foreign AI-agent control surface and can influence future agent actions in the project.
Rationale
The concrete postinstall overwrite of consumer `.claude/skills` meets the blocking policy for unconsented mutation of a foreign/broad AI-agent control surface. No separate exfiltration chain is required for this verdict.
Evidence
package.jsonpostinstall.mjsagents/claude/evoke-analytics-auditor/SKILL.mdagents/claude/evoke-page-manager/SKILL.mdagents/claude/evoke-veeva-config-manager/SKILL.md.claude/skills/evoke-analytics-auditor.claude/skills/evoke-page-manager.claude/skills/evoke-veeva-config-manager

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node postinstall.mjs` automatically on install.
  • `postinstall.mjs` resolves the consuming project root and targets `.claude/skills`.
  • `postinstall.mjs` force-removes each existing matching skill directory before copying package-controlled replacements.
  • Package-supplied `agents/claude/*/SKILL.md` files contain AI-agent instructions and MCP/tool-use workflows.
Evidence against
  • No network, credential-harvesting, shell-execution, or remote-payload APIs were found in inspected runtime source.
  • Other filesystem writes in `src/apps` and `src/tasks` are explicit project-generation/deployment functions, not import-time behavior.
Behavioral surface
Source
CryptoFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 58 file(s), 123 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L1: import { cpSync, readdirSync, rmSync } from 'fs'; L2: import { join, dirname } from 'path'; ... L8: const projectRoot = join(__dirname, '..', '..', '..'); L9: const destDir = join(projectRoot, '.claude', 'skills'); L10: const src = join(__dirname, 'agents', 'claude'); ... L15: rmSync(skillDestDir, { recursive: true, force: true }); L16: cpSync(join(src, dir), skillDestDir, { recursive: true }); L17: } Payload evidence from agents/claude/evoke-veeva-config-manager/SKILL.md: L1: --- L2: name: evoke-veeva-config-manager
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

postinstall.mjsView on unpkg · L1

Findings

1 Critical1 High2 Medium3 Low
CriticalAi Agent Control Hijackpostinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem