registry  /  @playlist-tech/enterprise-skills  /  1.5.14-enterprise.3

@playlist-tech/enterprise-skills@1.5.14-enterprise.3

An enterprise-customizable fork of Vercel Labs' skills CLI for internal skill registries.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a skills-management CLI whose risky primitives are activated by user CLI commands and align with installing, updating, searching, or using skills.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs enterprise-skills/skills/add-skill commands such as add, find, update, use, plugin, setup, or hooks repair.
Impact
Installs or removes selected skill files and may configure hooks only under explicit env-command configuration; no install-time malware observed.
Mechanism
User-invoked skill registry CLI with git/fetch, file copy/symlink, optional hooks, and telemetry
Rationale
Static inspection shows a legitimate enterprise fork of a skills CLI with expected network, git, filesystem, telemetry, and optional hook behavior tied to user commands, not lifecycle execution. No unconsented credential collection, persistence, destructive behavior, or AI-agent control-surface mutation was found.
Evidence
package.jsonbin/cli.mjsdist/cli.mjsdist/_chunks/libs/simple-git.mjsREADME.md.agents/skills~/.codex/skills.codex/hooks.jsonskills-lock.json
Network endpoints7
api.github.comgithub.comgitlab.comraw.githubusercontent.comskills.shadd-skill.vercel.sh/tadd-skill.vercel.sh/audit

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/cli.mjs can clone/fetch skill sources and copy/symlink skill files on explicit CLI commands.
  • dist/cli.mjs can write AI tool hook files only when SKILLS_HOOK_* env vars are set.
  • dist/cli.mjs has telemetry/audit fetches to add-skill.vercel.sh and skills.sh.
Evidence against
  • package.json has no install/postinstall hook; prepare/prepublishOnly are dev/publish scripts.
  • bin/cli.mjs only enables Node compile cache then imports dist/cli.mjs.
  • dist/cli.mjs network use is package-aligned: GitHub/GitLab/skills registry, audit, telemetry, skill downloads.
  • dist/cli.mjs child_process use is for git/gh and optional user-requested agent launch/update flows.
  • Path traversal checks guard skill names, subpaths, and file materialization destinations.
  • No credential harvesting or exfiltration found; GitHub tokens are used as Authorization headers for GitHub API access.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 10 file(s), 452 KB of source, external domains: add-skill.vercel.sh, api.github.com, example.com, github.com, gitlab.com, raw.githubusercontent.com, schemas.agentskills.io, skills.sh

Source & flagged code

2 flagged · loading source
dist/_chunks/libs/simple-git.mjsView file
4import { Buffer as Buffer$1 } from "node:buffer"; L5: import { spawn } from "child_process"; L6: import { normalize } from "node:path";
High
Child Process

Package source references child process execution.

dist/_chunks/libs/simple-git.mjsView on unpkg · L4
dist/cli.mjsView file
17Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/simple-git.mjs; helper contains network access plus dynamic code execution. L17: import { promisify } from "util"; L18: import { execFile, execSync, spawn, spawnSync } from "child_process"; L19: import { access, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises"; ... L22: import { createHash as createHash$1 } from "node:crypto"; L23: import { gunzipSync, inflateRawSync } from "node:zlib"; L24: var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1); ... L41: } L42: if (!parsed.url.startsWith("http://") && !parsed.url.startsWith("https://")) return null; L43: try { ... L61: if (!res.ok) return "unknown"; L62: return (await res.json()).private === true ? "private" : "public"; L63: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L17

Findings

3 High3 Medium5 Low
HighChild Processdist/_chunks/libs/simple-git.mjs
HighShell
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings