Loading npm security reports…
LPM treats this as warn-only first-party agent extension lifecycle risk. The runtime can explicitly install Linghun skills/plugins from local or Git/GitHub sources. Network installs clone a repository and write an untrusted extension manifest; no npm lifecycle trigger or foreign AI-agent configuration mutation was found.
Package source references weak cryptographic algorithms.
dist/chunk-6PZJEDSA.jsView on unpkg · L266This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-QA62UE5Z.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-QA62UE5Z.jsView on unpkgPackage source references weak cryptographic algorithms.
dist/chunk-6PZJEDSA.jsView on unpkg · L266