registry  /  @playlist-tech/enterprise-skills  /  1.5.19-enterprise.1

@playlist-tech/enterprise-skills@1.5.19-enterprise.1

An enterprise-customizable fork of Vercel Labs' skills CLI for internal skill registries.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `skills setup`, `add`, `use --agent`, or related CLI commands.
Impact
An operator-supplied hook command can be persisted into supported AI-agent configuration; no unconsented install-time mutation is present.
Mechanism
Explicit agent-hook configuration, skill installation, local process launch, and telemetry.
Rationale
The package has a guarded but broad explicit AI-agent hook configuration capability, warranting a warning under the stated policy. Source inspection found no concrete malicious chain or unconsented npm lifecycle mutation.
Evidence
package.jsonbin/cli.mjsdist/cli.mjs
Network endpoints3
add-skill.vercel.sh/tadd-skill.vercel.sh/auditapi.github.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/cli.mjs` `setup` writes agent hook settings after explicit CLI invocation.
  • Hook commands come from `SKILLS_HOOK_STOP_CMD`/`SKILLS_HOOK_FAIL_CMD` and can target detected AI tools.
  • CLI sends usage metadata to `https://add-skill.vercel.sh/t` and queries its audit endpoint.
  • `use --agent` launches a selected local AI-agent executable with a generated prompt.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • `bin/cli.mjs` only enables Node compile cache then imports the CLI when invoked.
  • Hook mutation requires the explicit `setup` command and a nonempty operator-provided environment command.
  • No `eval`, `Function`, VM loading, or hidden import-time payload execution was found.
  • GitHub token retrieval is tied to explicit GitHub repository acquisition paths; no token exfiltration endpoint was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 10 file(s), 464 KB of source, external domains: add-skill.vercel.sh, api.github.com, example.com, github.com, gitlab.com, raw.githubusercontent.com, schemas.agentskills.io, skills.sh

Source & flagged code

2 flagged · loading source
dist/_chunks/libs/simple-git.mjsView file
4import { Buffer as Buffer$1 } from "node:buffer"; L5: import { spawn } from "child_process"; L6: import { normalize } from "node:path";
High
Child Process

Package source references child process execution.

dist/_chunks/libs/simple-git.mjsView on unpkg · L4
dist/cli.mjsView file
17Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/simple-git.mjs; helper contains network access plus dynamic code execution. L17: import { promisify } from "util"; L18: import { execFile, execSync, spawn, spawnSync } from "child_process"; L19: import { access, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises"; ... L22: import { createHash as createHash$1 } from "node:crypto"; L23: import { gunzipSync, inflateRawSync } from "node:zlib"; L24: var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1); ... L41: } L42: if (!parsed.url.startsWith("http://") && !parsed.url.startsWith("https://")) return null; L43: try { ... L61: if (!res.ok) return "unknown"; L62: return (await res.json()).private === true ? "private" : "public"; L63: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L17

Findings

3 High3 Medium5 Low
HighChild Processdist/_chunks/libs/simple-git.mjs
HighShell
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings