registry  /  @inkeep/open-knowledge  /  0.22.0

@inkeep/open-knowledge@0.22.0

AI Security Review

scanned 9d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates AI-agent skill/control surfaces by globally installing a bundled OpenKnowledge discovery skill into detected agent hosts. This happens from npm postinstall without an explicit user CLI action.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @inkeep/open-knowledge@0.22.0
Impact
Unconsented modification of user AI-agent skill directories and sidecar state; may alter future agent behavior.
Mechanism
postinstall-spawned npx skills global agent skill install/removal
Policy narrative
On npm install, the postinstall script imports the package entry and invokes installUserSkill. That function uses npx to remove an older global OpenKnowledge skill and add the bundled discovery skill to all detected agent hosts globally, then writes install state/events under the user's home directory. This is an install-time AI-agent control-surface mutation rather than a user-invoked setup command.
Rationale
The package performs unconsented lifecycle modification of AI-agent skill surfaces during postinstall, which is concrete install-time control-surface mutation even if the bundled functionality is product-aligned. No broader credential exfiltration was confirmed, so the verdict is specific to install hook abuse/AI-agent control hijack. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsdist/index.mjsdist/dist-5JkJUoWe.mjsdist/write-project-skill-Ba_TWxCT.mjs$HOME/.agents/skills/open-knowledge-discovery$HOME/.claude/skills/open-knowledge$HOME/.cursor/skills/open-knowledge$HOME/.ok/skill-install-events.jsonl

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs imports dist/index.mjs and calls installUserSkill during install.
  • dist/dist-5JkJUoWe.mjs installUserSkill spawns npx -y skills@~1.5.0 add <bundled discovery skill> --agent * -g -y --copy.
  • dist/dist-5JkJUoWe.mjs removes legacy user skill with npx skills@~1.5.0 remove --agent * -g open-knowledge.
  • dist/dist-5JkJUoWe.mjs records install events under $HOME/.ok/skill-install-events.jsonl and writes skill-state.
  • dist/write-project-skill-Ba_TWxCT.mjs defines agent config/skill paths for .claude, .cursor, .codex, and opencode.
Evidence against
  • No credential harvesting or exfiltration observed in the inspected install path.
  • GitHub OAuth, OPENAI key, and MCP/network features appear aligned with the CLI's knowledge-base functionality.
  • Native binaries are declared as native-config parse/edit helpers in dist/native/package.json.
  • Large bundled assets include app/public assets and bundled skills, not standalone staged payloads.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 530 file(s), 16.9 MB of source, external domains: 127.0.0.1, api.github.com, api.openai.com, bun.sh, cdn.jsdelivr.net, chevrotain.io, claude.com, cscott.net, cursor.com, developers.openai.com, docs.claude.com, docs.github.com, docs.orama.com, en.wikipedia.org, example.com, fb.me, foo.bar, github.com, gnu.org, html.spec.whatwg.org, json-schema.org, landley.net, langium.org, openai.com, opencode.ai, placeholder.invalid, player.vimeo.com, prosemirror.net, radix-ui.com, react.dev, uploads.github.com, www.ibm.com, www.loom.com, www.w3.org
Oversized source lightweight scan
dist/dist-CXugONRr.mjs2.65 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsMinifiedUrlStringsapi.github.com
dist/public/assets/pdf.worker-B1D2UnXD.mjs2.06 MB file, sampled 256 KB
NetworkChildProcessDynamicRequireUrlStringsexample.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lib-CItGM3rN.mjsView file
39patternName = private_key_rsa severity = critical line = 39 matchedText = -----END...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/lib-CItGM3rN.mjsView on unpkg · L39
39patternName = private_key_rsa severity = critical line = 39 matchedText = -----END...----
Critical
Secret Pattern

RSA private key in dist/lib-CItGM3rN.mjs

dist/lib-CItGM3rN.mjsView on unpkg · L39
scripts/probe-exec.tsView file
59console.log(` ${label}`); L60: console.log(` exec(${JSON.stringify(cmd)})`); L61: console.log('═══════════════════════════════════════════════════════════');
High
Child Process

Package source references child process execution.

scripts/probe-exec.tsView on unpkg · L59
dist/chunk-XORM457F-BuPOSqOe.mjsView file
116contains invisible/control Unicode U+FEFF (zero width no-break space) `};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/chunk-XORM457F-BuPOSqOe.mjsView on unpkg · L116
dist/js-exec-M6UR76J5-Cu6NIWHE.mjsView file
28Cross-file remote execution chain: dist/js-exec-M6UR76J5-Cu6NIWHE.mjs spawns dist/chunk-5QMZ5MUS-BwpNU33k.mjs; helper contains network access plus dynamic code execution. L28: Available modules: L29: fs, path, child_process, process, console, L30: os, url, assert, util, events, buffer, stream, ... L43: child_process: L44: execSync(cmd) throws on non-zero exit, returns stdout L45: spawnSync(cmd, args) returns { stdout, stderr, status } ... L49: L50: os: platform(), arch(), homedir(), tmpdir(), type(), hostname(), L51: EOL, cpus(), endianness() L52: L53: url: URL, URLSearchParams, parse(), format() L54:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/js-exec-M6UR76J5-Cu6NIWHE.mjsView on unpkg · L28
dist/server-lock-CN2YHwpP-DiysUpvV.mjsView file
Trigger-reachable chain: manifest.exports -> dist/index.mjs -> dist/gh-detect-DR8F3B_q.mjs -> dist/server-lock-CN2YHwpP-DiysUpvV.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server-lock-CN2YHwpP-DiysUpvV.mjsView on unpkg
dist/native/native-config.linux-arm64-musl.nodeView file
path = dist/native/native-config.linux-arm64-musl.node kind = native_binary sizeBytes = 796488 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/native/native-config.linux-arm64-musl.nodeView on unpkg
dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/dist-CXugONRr.mjsView file
path = dist/dist-CXugONRr.mjs kind = oversized_source_file sizeBytes = 2780062 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/dist-CXugONRr.mjsView on unpkg

Findings

4 Critical6 High7 Medium9 Low
CriticalCritical Secretdist/lib-CItGM3rN.mjs
CriticalTrojan Source Unicodedist/chunk-XORM457F-BuPOSqOe.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/server-lock-CN2YHwpP-DiysUpvV.mjs
CriticalSecret Patterndist/lib-CItGM3rN.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/probe-exec.ts
HighShell
HighCross File Remote Execution Contextdist/js-exec-M6UR76J5-Cu6NIWHE.mjs
HighShips High Entropy Blobdist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighOversized Source Filedist/dist-CXugONRr.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binarydist/native/native-config.linux-arm64-musl.node
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License