AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `skills setup`, `add`, `use --agent`, or related CLI commands.
Impact
An operator-supplied hook command can be persisted into supported AI-agent configuration; no unconsented install-time mutation is present.
Mechanism
Explicit agent-hook configuration, skill installation, local process launch, and telemetry.
Rationale
The package has a guarded but broad explicit AI-agent hook configuration capability, warranting a warning under the stated policy. Source inspection found no concrete malicious chain or unconsented npm lifecycle mutation.
Evidence
package.jsonbin/cli.mjsdist/cli.mjs
Network endpoints3
add-skill.vercel.sh/tadd-skill.vercel.sh/auditapi.github.com
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/cli.mjs` `setup` writes agent hook settings after explicit CLI invocation.
- Hook commands come from `SKILLS_HOOK_STOP_CMD`/`SKILLS_HOOK_FAIL_CMD` and can target detected AI tools.
- CLI sends usage metadata to `https://add-skill.vercel.sh/t` and queries its audit endpoint.
- `use --agent` launches a selected local AI-agent executable with a generated prompt.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` hook.
- `bin/cli.mjs` only enables Node compile cache then imports the CLI when invoked.
- Hook mutation requires the explicit `setup` command and a nonempty operator-provided environment command.
- No `eval`, `Function`, VM loading, or hidden import-time payload execution was found.
- GitHub token retrieval is tied to explicit GitHub repository acquisition paths; no token exfiltration endpoint was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/_chunks/libs/simple-git.mjsView file
4import { Buffer as Buffer$1 } from "node:buffer";
L5: import { spawn } from "child_process";
L6: import { normalize } from "node:path";
High
Child Process
Package source references child process execution.
dist/_chunks/libs/simple-git.mjsView on unpkg · L4dist/cli.mjsView file
17Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/simple-git.mjs; helper contains network access plus dynamic code execution.
L17: import { promisify } from "util";
L18: import { execFile, execSync, spawn, spawnSync } from "child_process";
L19: import { access, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises";
...
L22: import { createHash as createHash$1 } from "node:crypto";
L23: import { gunzipSync, inflateRawSync } from "node:zlib";
L24: var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1);
...
L41: }
L42: if (!parsed.url.startsWith("http://") && !parsed.url.startsWith("https://")) return null;
L43: try {
...
L61: if (!res.ok) return "unknown";
L62: return (await res.json()).private === true ? "private" : "public";
L63: } catch {
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.mjsView on unpkg · L17Findings
3 High3 Medium5 Low
HighChild Processdist/_chunks/libs/simple-git.mjs
HighShell
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings