AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. npm postinstall automatically mutates three user-home AI-agent skill control surfaces. It deletes and replaces package-named skill directories, causing installed agent instructions to take effect without an explicit setup command.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or package update executes the postinstall lifecycle hook.
Impact
Package-supplied instructions are installed into Claude Code, agents, and Codex skill directories and can influence future agent behavior.
Mechanism
automatic cross-agent skill installation and replacement
Policy narrative
Installing the package invokes a postinstall script that resolves the user home directory, recursively removes each existing scriptctl skill directory under three AI-agent roots, and copies the package-provided skill into them. The mutation occurs by default during installation; the opt-out requires an environment variable to have been set in advance.
Rationale
This is a concrete, unconsented postinstall mutation of foreign and broad AI-agent control surfaces. Documentation and an opt-out do not eliminate the automatic lifecycle behavior.
Evidence
package.jsonscripts/install-skill.mjsREADME.mdskills/scriptctl/SKILL.mdskills/scriptctl~/.claude/skills/scriptctl~/.agents/skills/scriptctl~/.codex/skills/scriptctl
Decision evidence
public snapshotAI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- package.json:48 runs scripts/install-skill.mjs as postinstall.
- scripts/install-skill.mjs:22-25 targets ~/.claude, ~/.agents, and ~/.codex skill roots.
- scripts/install-skill.mjs:65-71 removes and replaces each scriptctl skill directory during install.
- scripts/install-skill.mjs:103-105 performs the writes automatically unless opt-out variables are pre-set.
- README.md:15 confirms installation/update performs these agent-skill writes.
Evidence against
- Installer copies only the packaged skills/scriptctl content; no remote payload download is present.
- No credential harvesting or network request appears in the postinstall script.
- The behavior is documented and can be disabled with environment variables.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install-skill.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscripts/install-skill.mjsView file
1Install-time AI-agent control hijack evidence:
L22: const TARGET_SKILL_ROOTS = [
L23: path.join(".claude", "skills"),
L24: path.join(".agents", "skills"),
L25: path.join(".codex", "skills"),
L26: ];
...
L58: const stamped = text.replace(/^scriptctl_version:.*$/m, `scriptctl_version: "${version}"`);
L59: fs.writeFileSync(skillMdPath, stamped, "utf-8");
L60: } catch {
...
L67: fs.rmSync(target, { recursive: true, force: true });
L68: fs.mkdirSync(path.dirname(target), { recursive: true });
L69: fs.cpSync(skillSrc, target, { recursive: true });
L70: stampVersion(path.join(target, "SKILL.md"), version);
Payload evidence from skills/scriptctl/SKILL.md:
L1: ---
L2: name: scriptctl
Critical
Ai Agent Control Hijack
Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/install-skill.mjsView on unpkg · L1Findings
1 Critical1 High3 Medium4 Low
CriticalAi Agent Control Hijackscripts/install-skill.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings