registry  /  @lingjingai/scriptctl  /  0.35.0

@lingjingai/scriptctl@0.35.0

剧本阶段统一 CLI:直转外部素材到 script.json,以及当前最终剧本的读取、校验、原子编辑与批量 patch 精修。

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. npm postinstall automatically mutates three user-home AI-agent skill control surfaces. It deletes and replaces package-named skill directories, causing installed agent instructions to take effect without an explicit setup command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or package update executes the postinstall lifecycle hook.
Impact
Package-supplied instructions are installed into Claude Code, agents, and Codex skill directories and can influence future agent behavior.
Mechanism
automatic cross-agent skill installation and replacement
Policy narrative
Installing the package invokes a postinstall script that resolves the user home directory, recursively removes each existing scriptctl skill directory under three AI-agent roots, and copies the package-provided skill into them. The mutation occurs by default during installation; the opt-out requires an environment variable to have been set in advance.
Rationale
This is a concrete, unconsented postinstall mutation of foreign and broad AI-agent control surfaces. Documentation and an opt-out do not eliminate the automatic lifecycle behavior.
Evidence
package.jsonscripts/install-skill.mjsREADME.mdskills/scriptctl/SKILL.mdskills/scriptctl~/.claude/skills/scriptctl~/.agents/skills/scriptctl~/.codex/skills/scriptctl

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json:48 runs scripts/install-skill.mjs as postinstall.
  • scripts/install-skill.mjs:22-25 targets ~/.claude, ~/.agents, and ~/.codex skill roots.
  • scripts/install-skill.mjs:65-71 removes and replaces each scriptctl skill directory during install.
  • scripts/install-skill.mjs:103-105 performs the writes automatically unless opt-out variables are pre-set.
  • README.md:15 confirms installation/update performs these agent-skill writes.
Evidence against
  • Installer copies only the packaged skills/scriptctl content; no remote payload download is present.
  • No credential harvesting or network request appears in the postinstall script.
  • The behavior is documented and can be disabled with environment variables.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 106 file(s), 1.23 MB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/install-skill.mjsView file
1Install-time AI-agent control hijack evidence: L22: const TARGET_SKILL_ROOTS = [ L23: path.join(".claude", "skills"), L24: path.join(".agents", "skills"), L25: path.join(".codex", "skills"), L26: ]; ... L58: const stamped = text.replace(/^scriptctl_version:.*$/m, `scriptctl_version: "${version}"`); L59: fs.writeFileSync(skillMdPath, stamped, "utf-8"); L60: } catch { ... L67: fs.rmSync(target, { recursive: true, force: true }); L68: fs.mkdirSync(path.dirname(target), { recursive: true }); L69: fs.cpSync(skillSrc, target, { recursive: true }); L70: stampVersion(path.join(target, "SKILL.md"), version); Payload evidence from skills/scriptctl/SKILL.md: L1: --- L2: name: scriptctl
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.mjsView on unpkg · L1

Findings

1 Critical1 High3 Medium4 Low
CriticalAi Agent Control Hijackscripts/install-skill.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings