AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- Explicit `citable install` copies a skill into supported agent harness directories.
- Installer supports global/project paths for Codex, Claude, Cursor, and other agents.
- `self-upgrade` fetches npm metadata and invokes pinned `npx` on explicit command.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- CLI entrypoint only dispatches after explicit user invocation.
- Installer requires confirmation or `--yes`, confines writes to selected scope, and rejects symlinks.
- Connector tokens are read only for user-invoked Google API requests; no credential exfiltration found.
- Crawler blocks private/loopback destinations and cross-origin redirects.
- No eval, dynamic code loading, native binaries, or hidden import-time execution found.
Behavioral surface
SourceChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chainHighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 386 KB of source, external domains: agenticcommerce.dev, analyticsadmin.googleapis.com, analyticsdata.googleapis.com, blog.cloudflare.com, chromeuxreport.googleapis.com, developers.cloudflare.com, example.test, fonts.gstatic.com, google.github.io, invalid.test, llmstxt.org, modelcontextprotocol.io, mpp.dev, registry.npmjs.org, schema.org, searchconsole.googleapis.com, ucp.dev, www.googleapis.com, www.x402.org