registry  /  @shendu-sdt/sd-zentao-cli  /  0.1.14

@shendu-sdt/sd-zentao-cli@0.1.14

SD internal ZenTao CLI for bug, task, and workhour workflows.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs unconsented postinstall mutation of broad AI-agent control surfaces by installing package-supplied skill instructions into multiple agent home directories. The installed instructions steer AI assistants toward the package CLI for internal ZenTao workflows, including write operations.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs package.json postinstall
Impact
Can alter AI assistant behavior on the host without an explicit user setup command; no separate exfiltration or destructive payload was found.
Mechanism
postinstall AI skill/rule installation across agent config directories
Policy narrative
On installation, npm runs scripts/install-ai-skill.mjs automatically. That script creates multiple AI assistant skill directories in the user's home and copies package-controlled SKILL.md into them, plus removes prior zentao-cli skill directories. The skill changes future agent behavior by instructing assistants to use this package's szt command for ZenTao workflows, including bug and workhour actions.
Rationale
Static inspection confirms a postinstall hook mutates broad/foreign AI-agent control surfaces without requiring an explicit setup command, which matches the firewall block policy. The rest of the CLI appears package-aligned and does not show credential exfiltration or remote payload execution, but the install-time AI control-surface write is sufficient to block.
Evidence
package.jsonscripts/install-ai-skill.mjsskills/sd-zentao-cli/SKILL.mddist/index.jsdist/config.jsdist/api.js~/.codex/skills/sd-zentao-cli/SKILL.md~/.agents/skills/sd-zentao-cli/SKILL.md~/.claude/skills/sd-zentao-cli/SKILL.md~/.cursor/skills/sd-zentao-cli/SKILL.md~/.qoder/skills/sd-zentao-cli/SKILL.md~/.gemini/config/skills/sd-zentao-cli/SKILL.md~/.antigravity/skills/sd-zentao-cli/SKILL.md~/.windsurf/skills/sd-zentao-cli/SKILL.md~/.aider/skills/sd-zentao-cli/SKILL.md~/.trae/skills/sd-zentao-cli/SKILL.md~/.hermes/skills/sd-zentao-cli/SKILL.md
Network endpoints2
pm.sdpjw.com/index.phpregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/install-ai-skill.mjs
  • scripts/install-ai-skill.mjs copies SKILL.md into broad AI-agent directories under ~/.codex, ~/.agents, ~/.claude, ~/.cursor, ~/.gemini, etc.
  • postinstall also removes old zentao-cli skill directories across the same agent surfaces
  • SKILL.md instructs agents to prefer szt and guides bug/workhour write workflows
Evidence against
  • No credential exfiltration found; saved ZenTao credentials stay in ~/.szt-cli/config.json with 0600 permissions
  • Network use is ZenTao-aligned via configured URL/default https://pm.sdpjw.com/index.php and REST/legacy API calls
  • child_process use is limited to invoking install-ai-skill.mjs and retrying the same CLI after relogin; git execFile supports user-invoked work scan
  • No eval/vm/dynamic remote payload loading found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 170 KB of source, external domains: pm.sdpjw.com, registry.npmjs.org

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-ai-skill.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/index.jsView file
166patternName = generic_password severity = medium line = 166 matchedText = await cl... });
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L166
scripts/install-ai-skill.mjsView file
1Install-time AI-agent control hijack evidence: L1: #!/usr/bin/env node L2: import { copyFileSync, existsSync, mkdirSync, rmSync, writeFileSync } from 'node:fs'; L3: import { dirname, join, resolve } from 'node:path'; ... L12: const targets = [ L13: join(homedir(), '.codex', 'skills', skillName, 'SKILL.md'), L14: join(homedir(), '.agents', 'skills', skillName, 'SKILL.md'), L15: join(homedir(), '.claude', 'skills', skillName, 'SKILL.md'), L16: join(homedir(), '.cursor', 'skills', skillName, 'SKILL.md'), ... L25: const oldTargets = [ L26: join(homedir(), '.codex', 'skills', oldSkillName), L27: join(homedir(), '.agents', 'skills', oldSkillName), L28: join(homedir(), '.claude', 'skills', oldSkillName), Payload evidence from skills/sd-zentao-cli/SKILL.md: L18: ```bash L19: npm install -g --registry=https://registry.npmjs.org/ @shendu-sdt/sd-zentao-cli L20: szt setup
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-ai-skill.mjsView on unpkg · L1

Findings

1 Critical1 High3 Medium6 Low
CriticalAi Agent Control Hijackscripts/install-ai-skill.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumSecret Patterndist/index.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License