registry  /  @routerhub/agent-rules  /  1.5.30

@routerhub/agent-rules@1.5.30

Shared Copilot agent rules and guidelines for RouterHub projects

AI Security Review

scanned 7d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle mutates downstream AI-agent instruction surfaces without an explicit user command. The written rules can influence future coding-agent behavior in the consuming project.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm/pnpm install lifecycle postinstall
Impact
Unconsented persistent project instruction changes for Codex/Copilot/Claude-style agents and GitHub PR templates.
Mechanism
postinstall-spawned rule merger writes AI agent instruction files
Policy narrative
On package installation, postinstall.js spawns node merge.js sync in the consuming project root. merge.js reads bundled rule markdown and writes persistent agent-control files such as AGENTS.md, CLAUDE.md, and Copilot instruction files. Some bundled rules direct agent behavior around production deployment and workflow handling, creating an unconsented install-time AI-agent control-surface mutation.
Rationale
The package’s advertised purpose is agent-rule generation, but doing it automatically from postinstall crosses the firewall boundary for unconsented lifecycle mutation of AI-agent control files. No exfiltration or destructive payload was found, so the concrete threat is agent control hijack rather than data theft malware. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.jsmerge.jsAGENTS.base.mdrules/global.mdrules/frontend.mdrules/go-backend.mdrules/devops.mdrules/*.mdAGENTS.mdCLAUDE.md.github/copilot-instructions.md.github/instructions/*.instructions.md.github/PULL_REQUEST_TEMPLATE.md

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js runs merge.js sync during install using INIT_CWD/project cwd
  • merge.js writes AGENTS.md, CLAUDE.md, .github/copilot-instructions.md, .github/instructions/*.instructions.md, and PR template
  • AGENTS.base.md contains agent behavior rules including production deploy confirmation bypass and workflow/plugin instructions
Evidence against
  • No network APIs or exfiltration endpoints found by source grep
  • Child process is limited to spawning node merge.js sync, not shelling arbitrary external commands
  • No credential harvesting, native binaries, eval, or obfuscated payloads observed
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 20.5 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @routerhub/agent-rules@1.5.29 matchedIdentity = npm:QHJvdXRlcmh1Yi9hZ2VudC1ydWxlcw:1.5.29 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

postinstall.jsView on unpkg
2L3: const { spawn } = require("child_process"); L4: const path = require("path");
High
Child Process

Package source references child process execution.

postinstall.jsView on unpkg · L2
2L3: const { spawn } = require("child_process"); L4: const path = require("path"); ... L14: console.log("[agent-rules] 检测到在 node_modules 内运行,跳过自动初始化"); L15: console.log("[agent-rules] 请手动执行: npx agent-rules init"); L16: process.exit(0);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

postinstall.jsView on unpkg · L2

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltapostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processpostinstall.js
HighRuntime Package Installpostinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings