AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package mutates a consumer project's AI-agent control surface during npm postinstall. It installs Codex/Replit-style skill files and creates or edits AGENTS.md without an explicit user command beyond package installation.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall lifecycle
Impact
Future agent sessions in the consumer repo may inherit package-authored instructions that constrain or redirect auth-related code changes.
Mechanism
unconsented AI-agent instruction and skill file installation
Policy narrative
On install, npm runs scripts/install-skill.mjs. The script resolves INIT_CWD/project root, creates .local/skills entries from bundled skill files, and creates or modifies AGENTS.md by inserting the bundled @realchemistry/auth-guard section. Those files are intended to steer future AI-agent behavior in the consuming project.
Rationale
Static inspection confirms unconsented postinstall mutation of a broad/foreign AI-agent control surface, which meets the firewall block policy even though the runtime auth code otherwise appears package-aligned. No exfiltration or remote payload execution was found.
Evidence
package.jsonscripts/install-skill.mjsskill/AGENTS.snippet.mdskill/SKILL.mdskill/monorepo/SKILL.md.local/skills/auth-guard-integration/SKILL.md.local/skills/auth-guard-monorepo-integration/SKILL.mdAGENTS.md
Decision evidence
public snapshotAI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- package.json defines postinstall: node scripts/install-skill.mjs
- scripts/install-skill.mjs copies skill/SKILL.md to consumer .local/skills/auth-guard-integration/SKILL.md
- scripts/install-skill.mjs copies skill/monorepo/SKILL.md to consumer .local/skills/auth-guard-monorepo-integration/SKILL.md
- scripts/install-skill.mjs creates/appends/replaces consumer project AGENTS.md on install
- skill/AGENTS.snippet.md gives persistent agent instructions controlling auth-related edits
Evidence against
- postinstall has AUTH_GUARD_SKIP_SKILL_INSTALL=1 opt-out
- AGENTS.md merge is marker-bounded and idempotent
- No credential harvesting or exfiltration found in inspected source
- Runtime network calls are package-aligned OIDC/proxy/probe behavior from configured URLs
- No child_process, eval, native binary loading, or remote payload execution found
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install-skill.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscripts/install-skill.mjsView file
2Install-time AI-agent control hijack evidence:
L9: * to wire the SDK in.
L10: * 2. Merge the bundled AGENTS.md snippet (skill/AGENTS.snippet.md) into
L11: * the consumer project's AGENTS.md at the project root so the next
L12: * agent that touches the project inherits the RC auth guardrails.
...
L14: * Both are idempotent: the skill file overwrites on every install (pinned to
L15: * the installed SDK version); the AGENTS.md merge replaces only the section
L16: * between <!-- BEGIN @realchemistry/auth-guard --> and <!-- END … --> markers,
L17: * leaving any other content in the user's AGENTS.md intact.
L18: *
...
L24: import {
L25: mkdirSync,
L26: copyFileSync,
Payload evidence from skill/monorepo/SKILL.md:
L2: name: auth-guard-monorepo-integration
L3: description: Wire @realchemistry/auth-guard into a Replit artifacts-monorepo (pnpm-workspace.yaml at root, multiple artifacts/<slug>/ sub-apps each with their own package.json and ...
L4: ---
...
L16: - **Pick one landing artifact** — typically the one registered at `previewPath: "/"`. It runs `auth-guard serve` in normal mode, owns `/auth/*`, holds the five `AUTH_HUB_*` secrets...
L17: - **Every other artifact** is …
Critical
Ai Agent Control Hijack
Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/install-skill.mjsView on unpkg · L2Findings
1 Critical1 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License