registry  /  @realchemistry/auth-guard  /  2.2.3

@realchemistry/auth-guard@2.2.3

Sealed OIDC + PKCE chassis for Real Chemistry's Auth Hub. `auth-guard serve` runs the auth front door; consumer apps stay blind to OIDC and read identity from x-rc-user-* headers.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates a consumer project's AI-agent control surface during npm postinstall. It installs Codex/Replit-style skill files and creates or edits AGENTS.md without an explicit user command beyond package installation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall lifecycle
Impact
Future agent sessions in the consumer repo may inherit package-authored instructions that constrain or redirect auth-related code changes.
Mechanism
unconsented AI-agent instruction and skill file installation
Policy narrative
On install, npm runs scripts/install-skill.mjs. The script resolves INIT_CWD/project root, creates .local/skills entries from bundled skill files, and creates or modifies AGENTS.md by inserting the bundled @realchemistry/auth-guard section. Those files are intended to steer future AI-agent behavior in the consuming project.
Rationale
Static inspection confirms unconsented postinstall mutation of a broad/foreign AI-agent control surface, which meets the firewall block policy even though the runtime auth code otherwise appears package-aligned. No exfiltration or remote payload execution was found.
Evidence
package.jsonscripts/install-skill.mjsskill/AGENTS.snippet.mdskill/SKILL.mdskill/monorepo/SKILL.md.local/skills/auth-guard-integration/SKILL.md.local/skills/auth-guard-monorepo-integration/SKILL.mdAGENTS.md

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/install-skill.mjs
  • scripts/install-skill.mjs copies skill/SKILL.md to consumer .local/skills/auth-guard-integration/SKILL.md
  • scripts/install-skill.mjs copies skill/monorepo/SKILL.md to consumer .local/skills/auth-guard-monorepo-integration/SKILL.md
  • scripts/install-skill.mjs creates/appends/replaces consumer project AGENTS.md on install
  • skill/AGENTS.snippet.md gives persistent agent instructions controlling auth-related edits
Evidence against
  • postinstall has AUTH_GUARD_SKIP_SKILL_INSTALL=1 opt-out
  • AGENTS.md merge is marker-bounded and idempotent
  • No credential harvesting or exfiltration found in inspected source
  • Runtime network calls are package-aligned OIDC/proxy/probe behavior from configured URLs
  • No child_process, eval, native binary loading, or remote payload execution found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 12 file(s), 77.8 KB of source, external domains: 127.0.0.1

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/install-skill.mjsView file
2Install-time AI-agent control hijack evidence: L9: * to wire the SDK in. L10: * 2. Merge the bundled AGENTS.md snippet (skill/AGENTS.snippet.md) into L11: * the consumer project's AGENTS.md at the project root so the next L12: * agent that touches the project inherits the RC auth guardrails. ... L14: * Both are idempotent: the skill file overwrites on every install (pinned to L15: * the installed SDK version); the AGENTS.md merge replaces only the section L16: * between <!-- BEGIN @realchemistry/auth-guard --> and <!-- END … --> markers, L17: * leaving any other content in the user's AGENTS.md intact. L18: * ... L24: import { L25: mkdirSync, L26: copyFileSync, Payload evidence from skill/monorepo/SKILL.md: L2: name: auth-guard-monorepo-integration L3: description: Wire @realchemistry/auth-guard into a Replit artifacts-monorepo (pnpm-workspace.yaml at root, multiple artifacts/<slug>/ sub-apps each with their own package.json and ... L4: --- ... L16: - **Pick one landing artifact** — typically the one registered at `previewPath: "/"`. It runs `auth-guard serve` in normal mode, owns `/auth/*`, holds the five `AUTH_HUB_*` secrets... L17: - **Every other artifact** is …
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.mjsView on unpkg · L2

Findings

1 Critical1 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License