registry  /  @lingjingai/lj-awb-cli-pre  /  0.5.5

@lingjingai/lj-awb-cli-pre@0.5.5

Lingjing AWB CLI monorepo with shared core, standalone CLI, and agent skills (pre-release build pointing to https://animeworkbench-pre.lingjingai.cn)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package performs install-time AI-agent extension setup by writing a package-owned skill into Codex, Claude, and cc-switch skill directories. This creates lifecycle risk, but source inspection did not show exfiltration, stealth persistence, or remote code execution beyond user/agent-invoked CLI and npm install behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs package.json postinstall; later agent use may invoke the installed skill bootstrap script.
Impact
Agent behavior can be extended to use lj-awb commands; explicit skill bootstrap may install the CLI globally via npm if missing or outdated.
Mechanism
postinstall copies package-owned agent skill files and bootstrap script
Rationale
Source inspection confirms install-time mutation of AI-agent skill directories, which warrants a warning under the package-owned extension policy. It does not meet the block threshold because the behavior is visible, first-party, package-aligned, and no concrete exfiltration or malicious chain was found.
Evidence
package.jsoninstall.mjsskills/lj-awb/SKILL.mdskills/lj-awb/scripts/resolve-lj-awb-cmd.shpackages/awb-cli/bin/lj-awb.jspackages/awb-core/src/common.jspackages/awb-core/src/api.jspackages/awb-core/src/auth.js~/.cc-switch/skills/lj-awb~/.codex/skills/lj-awb~/.claude/skills/lj-awb~/.lingjingai/awb/auth.json~/.lingjingai/awb/state.json
Network endpoints4
animeworkbench-pre.lingjingai.cnanimeworkbench-pre.lingjingai.cn/platform/creation?openModal=RechargeModalanimeworkbench.lingjingai.cn/platform/creation?openModal=RechargeModalregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node install.mjs.
  • install.mjs copies skills/lj-awb into ~/.codex/skills/lj-awb, ~/.claude/skills/lj-awb, and ~/.cc-switch/skills/lj-awb by default.
  • install.mjs removes existing target skill dirs with rmSync before copying package files.
  • skills/lj-awb/SKILL.md instructs agents to run scripts/resolve-lj-awb-cmd.sh; that script can run npm install -g @lingjingai/lj-awb-cli@<version>.
  • packages/awb-core/src/api.js sends authenticated API requests with X-Access-Key to animeworkbench-pre.lingjingai.cn when user invokes CLI commands.
Evidence against
  • No credential harvesting beyond package-specific LINGJING_AWB_ACCESS_KEY/auth.json use was found in inspected auth/common/api code.
  • Network endpoints are aligned with the Lingjing AWB CLI purpose and are used by explicit CLI commands.
  • packages/awb-cli/bin/lj-awb.js only re-execs itself with NODE_EXTRA_CA_CERTS and then runs the local standalone CLI.
  • The installed skill is package-owned first-party lj-awb guidance, not a hidden foreign prompt payload.
  • No eval/vm, remote payload loading, destructive project deletion, or broad file exfiltration was identified.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 555 KB of source, external domains: animeworkbench-pre.lingjingai.cn, animeworkbench.lingjingai.cn, registry.npmjs.org, volta.sh

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
packages/awb-core/src/common.jsView file
6L7: export const DEFAULT_API_ORIGIN = 'https://animeworkbench-pre.lingjingai.cn'; L8: export const API_ORIGIN = ( L9: process.env.LINGJING_AWB_API_ORIGIN L10: || process.env.ANIME_API_ORIGIN ... L25: L26: export const APP_HOME_DIR = process.env.LINGJING_AWB_STATE_DIR || process.env.ANIME_STATE_DIR || path.join(os.homedir(), '.lingjingai', 'awb'); L27: export const AUTH_PATH = process.env.LINGJING_AWB_AUTH_PATH || process.env.ANIME_AUTH_PATH || path.join(APP_HOME_DIR, 'auth.json'); ... L135: path.join(os.homedir(), '.zprofile'), L136: path.join(os.homedir(), '.zshrc'), L137: path.join(os.homedir(), '.profile'), ... L153: try {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

packages/awb-core/src/common.jsView on unpkg · L6
6L7: export const DEFAULT_API_ORIGIN = 'https://animeworkbench-pre.lingjingai.cn'; L8: export const API_ORIGIN = ( L9: process.env.LINGJING_AWB_API_ORIGIN L10: || process.env.ANIME_API_ORIGIN ... L25: L26: export const APP_HOME_DIR = process.env.LINGJING_AWB_STATE_DIR || process.env.ANIME_STATE_DIR || path.join(os.homedir(), '.lingjingai', 'awb'); L27: export const AUTH_PATH = process.env.LINGJING_AWB_AUTH_PATH || process.env.ANIME_AUTH_PATH || path.join(APP_HOME_DIR, 'auth.json'); ... L135: path.join(os.homedir(), '.zprofile'), L136: path.join(os.homedir(), '.zshrc'), L137: path.join(os.homedir(), '.profile'), ... L153: try {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

packages/awb-core/src/common.jsView on unpkg · L6
install.mjsView file
1Install-time AI-agent control hijack evidence: L1: #!/usr/bin/env node L2: import { cpSync, existsSync, mkdirSync, readdirSync, rmSync } from 'node:fs'; L3: import { homedir } from 'node:os'; ... L9: function copyDirectory(sourceDir, targetDir) { L10: mkdirSync(targetDir, { recursive: true }); L11: for (const entry of readdirSync(sourceDir, { withFileTypes: true })) { ... L17: } else { L18: cpSync(sourcePath, targetPath); L19: } ... L25: const explicitSkillTargetDir = process.env.LINGJING_AWB_SKILL_INSTALL_DIR || process.env.ANIME_SKILL_INSTALL_DIR; L26: const codexHomeDir = process.env.CODEX_HOME || join(homedir(), '.codex'); L27: Payload evidence from skills/lj-awb/SKILL.md: L4: description: "灵境 AWB CLI skill。使用 `lj-awb` 命令调用动漫平台 / AWB 云端能力,覆盖认证、项目组、积分余额/明细/用量(含充值购买与兑换码兑换)、模型发现、上传、统一 create 创建域、任务查询、视频超分。用户说生图、生视频、积分明细、积分流水、充值记录、消耗记录、主体、音色、素材加白、去字幕时使用。正式生成... L5: metadata: L6: bootstrap: ... L56: L57: 脚本 stdout 只输出可执行命令;安装日志和错误走 stderr。后续命令优先使用解析结果: L58:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

install.mjsView on unpkg · L1
skills/lj-awb/scripts/resolve-lj-awb-cmd.shView file
path = skills/lj-awb/scripts/resolve-lj-awb-cmd.sh kind = build_helper sizeBytes = 3529 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/lj-awb/scripts/resolve-lj-awb-cmd.shView on unpkg

Findings

1 Critical1 High6 Medium5 Low
CriticalAi Agent Control Hijackinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencepackages/awb-core/src/common.js
MediumShips Build Helperskills/lj-awb/scripts/resolve-lj-awb-cmd.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptopackages/awb-core/src/common.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings