AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/skill-cli.js exposes explicit `shipeasy-skill install` writing to `.claude/skills/shipeasy-typescript/SKILL.md` by default.
- docs/skill/SKILL.md is an agent skill with SDK usage guidance and external docs URLs.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- Main/browser entrypoints are SDK code for feature flags, configs, experiments, telemetry, i18n, and devtools.
- Network calls target package-aligned Shipeasy hosts and are gated by user configuration/runtime calls.
- No child_process, eval/vm, native binary loading, destructive filesystem actions, credential harvesting, or broad import-time execution found.
- dist/skill-cli.js refuses overwrite unless `--force` and only runs when the bin is explicitly invoked.
Source & flagged code
2 flagged · loading sourcedist/skill-cli.js exposes explicit `shipeasy-skill install` writing to `.claude/skills/shipeasy-typescript/SKILL.md` by default.
dist/skill-cli.jsView on unpkgdocs/skill/SKILL.md is an agent skill with SDK usage guidance and external docs URLs.
docs/skill/SKILL.mdView on unpkg