registry  /  @lsproxy/cli  /  0.11.4

@lsproxy/cli@0.11.4

Standalone refactor CLI driving any LSP server: project-wide rename, file-move with importer updates, and move-symbol

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package has an npm postinstall hook that unconditionally installs package-supplied Claude skill files into the user's home directory. This is lifecycle-triggered mutation of a foreign AI-agent control surface.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install of @lsproxy/cli@0.11.4
Impact
Installs agent-facing instructions without explicit user invocation or consent during package installation.
Mechanism
postinstall copies packaged Claude skill directory to ~/.claude/skills
Policy narrative
On install, npm runs skillit-postinstall.cjs. The script reads package metadata, rewrites markdown under the packaged skills directory, creates ~/.claude/skills, and recursively copies each packaged skill directory there. That places package-supplied instructions into Claude's user-level skill surface without an explicit CLI command.
Rationale
Although the CLI runtime behavior is largely aligned with LSP/refactoring functionality, the unguarded install-time write into ~/.claude/skills matches the policy for unconsented lifecycle mutation of a foreign AI-agent control surface. No additional exfiltration or remote payload behavior is needed for this block decision.
Evidence
package.jsonskillit-postinstall.cjsskills/lsproxy-cli/SKILL.mddist/connect.jsdist/session.jsdist/config/adapters/claude-code.jsskills/lsproxy-cli/**~/.claude/skills/lsproxy-cli/**

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node ./skillit-postinstall.cjs
  • skillit-postinstall.cjs runs at install time and copies packaged skills into os.homedir()/.claude/skills
  • skills/lsproxy-cli/SKILL.md is package-supplied Claude skill content for invoking lsproxy commands
  • skillit-postinstall.cjs mutates packaged .md files before copying them
Evidence against
  • No credential harvesting or exfiltration endpoints found in inspected source
  • dist/connect.js daemon behavior is user-invoked CLI/proxy functionality
  • dist/session.js child_process spawn runs user-selected language server commands during CLI use
  • Config adapter writes are exposed through explicit lsproxy config commands
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 129 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./sk[redacted]
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
skillit-postinstall.cjsView file
26Install-time AI-agent control hijack evidence: L26: const updated = content.replaceAll(npxPrefix, binName); L27: if (updated !== content) fs.writeFileSync(full, updated, 'utf8'); L28: } ... L32: function copyDir(src, dest) { L33: fs.mkdirSync(dest, { recursive: true }); L34: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L39: } else { L40: fs.copyFileSync(srcPath, destPath); L41: } ... L46: L47: const userSkillsDir = path.join(os.homedir(), '.claude', 'skills'); L48: try { Payload evidence from skills/lsproxy-cli/SKILL.md: L63: server has not loaded the full workspace project. lsproxy flags this case as `partial:true` L64: with a `warning` (and a stderr note) instead of a bare `ok:true`. Do not treat a L65: partial/empty result as "no callers" for a deletion or a file move; verify with a ... L1068: L1069: - [Repository](https://github.com/pradeepmouli/lspeasy.git) L1070: - Author: Pradeep Mouli
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skillit-postinstall.cjsView on unpkg · L26
dist/connect.jsView file
matchType = normalized_sha256 matchedPackage = @lsproxy/cli@0.11.3 matchedPath = dist/connect.js matchedIdentity = npm:QGxzcHJveHkvY2xp:0.11.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/connect.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 7edafc4bb87fce0e signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @lsproxy/cli@0.11.3 matchedPath = dist/connect.js matchedIdentity = npm:QGxzcHJveHkvY2xp:0.11.3 similarity = 1.000 shingleOverlap = 12 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/connect.jsView on unpkg

Findings

1 Critical3 High2 Medium3 Low
CriticalAi Agent Control Hijackskillit-postinstall.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritydist/connect.js
HighKnown Malware Source Fingerprint Signaturedist/connect.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings