registry  /  @ojesusmp/model-effort-router  /  1.4.1

@ojesusmp/model-effort-router@1.4.1

Claude Code skill that routes every delegated task to the cheapest model tier that can do it well, escalates only on evidence, and adapts automatically when models are added, renamed, or removed.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. npm postinstall automatically installs package-owned Claude Code skill files into the user profile. This changes the local agent-extension surface without an explicit setup command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install executes the postinstall lifecycle hook.
Impact
The package can influence future Claude Code delegation and skill-hardening behavior; no exfiltration, remote payload, or shell execution is confirmed.
Mechanism
copies bundled Markdown skills into ~/.claude/skills/
Rationale
This is a guarded first-party Claude Code extension setup performed automatically at postinstall. It warrants a warning under the lifecycle policy, but source inspection found no concrete malicious behavior.
Evidence
package.jsonbin/install.mjsskills/model-effort-router/SKILL.mdskills/skill-hardener/SKILL.mdREADME.md~/.claude/skills/model-effort-router/SKILL.md~/.claude/skills/model-effort-router/README.md~/.claude/skills/model-effort-router/LICENSE~/.claude/skills/model-effort-router/CHANGELOG.md~/.claude/skills/skill-hardener/SKILL.md~/.claude/skills/skill-hardener/README.md~/.claude/skills/skill-hardener/test/hardener-quiz.txt

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json runs bin/install.mjs via postinstall.
  • bin/install.mjs writes automatically to ~/.claude/skills/.
  • Installer deploys two package-supplied Claude skills, including companion skill-hardener.
  • Installer overwrites named files when destination directories already exist.
Evidence against
  • bin/install.mjs uses only local fs/path/os APIs; no network client or subprocess execution.
  • Writes are confined to package-named ~/.claude/skills/model-effort-router and skill-hardener paths.
  • README.md hook and CLAUDE.md mutations are documented manual steps, not installer behavior.
  • Inspected skills contain routing/hardening guidance, not credential harvesting or prompt-override instructions.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.97 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/install.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/install.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install.mjsView file
1Install-time AI-agent control hijack evidence: L5: L6: import { existsSync, mkdirSync, copyFileSync } from "node:fs"; L7: import { homedir, platform } from "node:os"; ... L35: L36: const skillsRoot = join(homedir(), ".claude", "skills"); L37: const targetRoot = join(skillsRoot, "model-effort-router"); ... L50: } L51: mkdirSync(dirname(d), { recursive: true }); L52: copyFileSync(s, d); L53: } ... L61: if (!DRY_RUN && !existsSync(targetRoot)) { L62: mkdirSync(targetRoot, { recursive: true }); Payload evidence from skills/sk[redacted]/SKILL.md: L1: --- L2: name: sk[redacted]
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install.mjsView on unpkg · L1

Findings

1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackbin/install.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings