AI Security Review
scanned 5h ago · by lpm-firewall-aiThe package performs unconsented lifecycle mutation of a broad Claude Code control surface in the consuming project. On install, it installs package-supplied skills and imports instructions into .claude/CLAUDE.md.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install/postinstall of @ploomescrm/ui as a dependency
Impact
Consumer projects get agent instructions/control files activated without an explicit user-invoked setup step, influencing future Claude Code behavior.
Mechanism
postinstall writes Claude Code skills and CLAUDE.md import
Attack narrative
Installing the npm package runs scripts/setup.mjs via postinstall. The script detects node_modules, uses INIT_CWD as the consumer project root, copies package-supplied AI skills into .claude/skills with a namespace prefix, and writes a generated @import block at the top of .claude/CLAUDE.md. The planted content appears aligned with @ploomescrm/ui documentation, but the delivery mutates a foreign/broad agent control surface during npm install without a separate opt-in.
Rationale
Under the supplied policy, lifecycle code that drops package-supplied Claude/agent control files into a consumer project without consent is blockable even when content is product-aligned. Source inspection confirms this behavior directly in scripts/setup.mjs and package.json.
Evidence
package.jsonscripts/setup.mjsai-extensions/CLAUDE.mdai-extensions/skills/ui-docs/SKILL.mdai-extensions/skills/setup-ploomes-ui/SKILL.md.claude/skills/ploomes-design-system-ui-docs.claude/skills/ploomes-design-system-setup-ploomes-ui.claude/CLAUDE.md
Decision evidence
public snapshotAI called this Malicious at 97.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
- package.json defines postinstall: node scripts/setup.mjs.
- scripts/setup.mjs uses INIT_CWD projectRoot and, when installed under node_modules, writes into consumer .claude/.
- scripts/setup.mjs copies ai-extensions/skills entries to .claude/skills/<ploomes-design-system-*> and removes prior prefixed entries.
- scripts/setup.mjs writes/updates .claude/CLAUDE.md with a generated top @import to package ai-extensions/CLAUDE.md.
- ai-extensions contains Claude skill manifests with user-invocable:false and agent-facing instructions activated by Claude Code.
Evidence against
- No network endpoints found in setup script or extension docs.
- Extension content reviewed is product-aligned UI documentation/setup guidance, not credential harvesting.
- Lifecycle script is inert outside node_modules unless PLOOMES_AI_FORCE is set.
- Removals are limited to .claude category entries with the package namespace prefix.
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/setup.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscripts/setup.mjsView file
1Install-time AI-agent control hijack evidence:
L9: * Mirrors each category from <src>/ flattened into the root of the consumer's
L10: * `.claude/<category>/`, prefixing each item with the lib name (skills are only
L11: * discovered at `.claude/skills/<skill>/SKILL.md` directly). The wipe removes
L12: * only the items carrying this prefix, leaving the project's own content intact.
L13: * If `<src>/CLAUDE.md` exists, injects a demarcated `@import` into the consumer's
L14: * `.claude/CLAUDE.md`.
L15: *
L16: * ai-extensions/skills/foo/SKILL.md -> .claude/skills/<PREFIX>-foo/SKILL.md
L17: *
...
L19: * During DS-monorepo dev the package lives in packages/ui (outside node_modules),
L20: * so the script is inert and the repo's `.claude/` stays intact.
L21: */
Payload evidence from ai-extensions/skills/setup-ploomes-ui/SKILL.md:
L1: ---
L2: name: setup-ploomes-ui
Critical
Ai Agent Control Hijack
Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/setup.mjsView on unpkg · L1Findings
1 Critical1 High2 Medium5 Low
CriticalAi Agent Control Hijackscripts/setup.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License