registry  /  @ploomescrm/ui  /  2.4.0

@ploomescrm/ui@2.4.0

Biblioteca de componentes React do Design System da Ploomes: componentes acessíveis, tematizáveis e prontos para produção, com tokens de design embutidos e suporte a dark mode e whitelabel em tempo de execução.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

The package performs unconsented lifecycle mutation of a broad Claude Code control surface in the consuming project. On install, it installs package-supplied skills and imports instructions into .claude/CLAUDE.md.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install/postinstall of @ploomescrm/ui as a dependency
Impact
Consumer projects get agent instructions/control files activated without an explicit user-invoked setup step, influencing future Claude Code behavior.
Mechanism
postinstall writes Claude Code skills and CLAUDE.md import
Attack narrative
Installing the npm package runs scripts/setup.mjs via postinstall. The script detects node_modules, uses INIT_CWD as the consumer project root, copies package-supplied AI skills into .claude/skills with a namespace prefix, and writes a generated @import block at the top of .claude/CLAUDE.md. The planted content appears aligned with @ploomescrm/ui documentation, but the delivery mutates a foreign/broad agent control surface during npm install without a separate opt-in.
Rationale
Under the supplied policy, lifecycle code that drops package-supplied Claude/agent control files into a consumer project without consent is blockable even when content is product-aligned. Source inspection confirms this behavior directly in scripts/setup.mjs and package.json.
Evidence
package.jsonscripts/setup.mjsai-extensions/CLAUDE.mdai-extensions/skills/ui-docs/SKILL.mdai-extensions/skills/setup-ploomes-ui/SKILL.md.claude/skills/ploomes-design-system-ui-docs.claude/skills/ploomes-design-system-setup-ploomes-ui.claude/CLAUDE.md

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/setup.mjs.
  • scripts/setup.mjs uses INIT_CWD projectRoot and, when installed under node_modules, writes into consumer .claude/.
  • scripts/setup.mjs copies ai-extensions/skills entries to .claude/skills/<ploomes-design-system-*> and removes prior prefixed entries.
  • scripts/setup.mjs writes/updates .claude/CLAUDE.md with a generated top @import to package ai-extensions/CLAUDE.md.
  • ai-extensions contains Claude skill manifests with user-invocable:false and agent-facing instructions activated by Claude Code.
Evidence against
  • No network endpoints found in setup script or extension docs.
  • Extension content reviewed is product-aligned UI documentation/setup guidance, not credential harvesting.
  • Lifecycle script is inert outside node_modules unless PLOOMES_AI_FORCE is set.
  • Removals are limited to .claude category entries with the package namespace prefix.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 521 KB of source, external domains: exemplo.com, fb.me

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/setup.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/setup.mjsView file
1Install-time AI-agent control hijack evidence: L9: * Mirrors each category from <src>/ flattened into the root of the consumer's L10: * `.claude/<category>/`, prefixing each item with the lib name (skills are only L11: * discovered at `.claude/skills/<skill>/SKILL.md` directly). The wipe removes L12: * only the items carrying this prefix, leaving the project's own content intact. L13: * If `<src>/CLAUDE.md` exists, injects a demarcated `@import` into the consumer's L14: * `.claude/CLAUDE.md`. L15: * L16: * ai-extensions/skills/foo/SKILL.md -> .claude/skills/<PREFIX>-foo/SKILL.md L17: * ... L19: * During DS-monorepo dev the package lives in packages/ui (outside node_modules), L20: * so the script is inert and the repo's `.claude/` stays intact. L21: */ Payload evidence from ai-extensions/skills/setup-ploomes-ui/SKILL.md: L1: --- L2: name: setup-ploomes-ui
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/setup.mjsView on unpkg · L1

Findings

1 Critical1 High2 Medium5 Low
CriticalAi Agent Control Hijackscripts/setup.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License