registry  /  @ojesusmp/model-effort-router  /  1.3.0

@ojesusmp/model-effort-router@1.3.0

Claude Code skill that routes every delegated task to the cheapest model tier that can do it well, escalates only on evidence, and adapts automatically when models are added, renamed, or removed.

AI Security Review

scanned 13d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates Claude Code's AI-agent control surface during npm postinstall by copying skill instruction files into the user's home directory. This can affect later agent delegation behavior without an explicit runtime invocation of the package binary.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or any package manager lifecycle execution
Impact
Changes future Claude Code skill behavior/model routing and installs a companion hardening skill
Mechanism
postinstall AI skill file drop
Policy narrative
On installation, npm runs bin/install.mjs. The script derives ~/.claude/skills and copies package-supplied Claude Code skill instructions into model-effort-router and skill-hardener directories, causing later Claude Code sessions to load package-controlled agent routing/hardening instructions. I found no exfiltration or destructive payload, but the install-time mutation of an AI-agent control surface is concrete.
Rationale
Source inspection confirms unconsented lifecycle writes to Claude Code skill directories, which is a concrete AI-agent control-surface mutation even though the content matches the package theme and has no network exfiltration. Under the firewall boundary, this warrants blocking as ai_agent_control_hijack. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonbin/install.mjsSKILL.mdskills/skill-hardener/SKILL.md~/.claude/skills/model-effort-router/SKILL.md~/.claude/skills/model-effort-router/README.md~/.claude/skills/model-effort-router/LICENSE~/.claude/skills/model-effort-router/CHANGELOG.md~/.claude/skills/skill-hardener/SKILL.md~/.claude/skills/skill-hardener/README.md~/.claude/skills/skill-hardener/test/hardener-quiz.txt

Decision evidence

public snapshot
AI called this Malicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node bin/install.mjs
  • bin/install.mjs writes package SKILL.md/README/LICENSE/CHANGELOG into ~/.claude/skills/model-effort-router
  • bin/install.mjs also writes bundled skills/skill-hardener files into ~/.claude/skills/skill-hardener
  • Installed SKILL.md governs Claude Code delegation/model selection and subagent prompts
Evidence against
  • No network calls or exfiltration endpoints found
  • No child_process, eval, dynamic code loading, persistence daemon, or destructive file operations found
  • Install script is best-effort and skips CI or MER_SKIP_POSTINSTALL
  • Behavior is aligned with the package's stated Claude skill purpose
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.94 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/install.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/install.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install.mjsView file
1Install-time AI-agent control hijack evidence: L5: L6: import { existsSync, mkdirSync, copyFileSync } from "node:fs"; L7: import { homedir, platform } from "node:os"; ... L35: L36: const skillsRoot = join(homedir(), ".claude", "skills"); L37: const targetRoot = join(skillsRoot, "model-effort-router"); ... L50: } L51: mkdirSync(dirname(d), { recursive: true }); L52: copyFileSync(s, d); L53: } ... L61: if (!DRY_RUN && !existsSync(targetRoot)) { L62: mkdirSync(targetRoot, { recursive: true }); Payload evidence from skills/sk[redacted]/SKILL.md: L1: --- L2: name: sk[redacted]
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install.mjsView on unpkg · L1

Findings

1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackbin/install.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings