registry  /  @skillnull/ai-tidu9  /  1.0.0

@skillnull/ai-tidu9@1.0.0

九门赛博提督 — 专治 AI 跑偏。The Cyber-JiumenTidu for LLMs.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package has an npm postinstall hook that unconditionally creates or rewrites AGENTS.md with AI-agent instructions scoped to the entire repository. This is unconsented lifecycle mutation of a broad AI-agent control surface, even though the content appears product-aligned.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install / package postinstall
Impact
Can change future AI-agent behavior for the consuming project and overwrite existing AGENTS.md content during install.
Mechanism
lifecycle-generated AGENTS.md agent instruction file
Policy narrative
On npm install, package.json invokes .ai-tidu9/scripts/install.js. The script computes the package/project root, creates or rewrites AGENTS.md, and inserts instructions requiring agents to load AI-Tidu9 rules for the entire repository. It also writes .ai-tidu9/browser.md from a packaged skill file. No data theft or network behavior was found, but the lifecycle-triggered AGENTS.md write is a broad AI-agent control-surface mutation without explicit user consent.
Rationale
Static source inspection confirms install-time code plants repository-wide AGENTS.md instructions, which the supplied policy treats as blockable AI-agent control hijack when lifecycle-triggered and unconsented. Absence of exfiltration or classic malware does not remove the concrete agent control-surface attack surface.
Evidence
package.json.ai-tidu9/scripts/install.jsAGENTS.md.ai-tidu9/browser.md.ai-tidu9/skills/_core/SKILL.md

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node .ai-tidu9/scripts/install.js
  • install.js writes AGENTS.md at package root/consumer-visible project root on install
  • AGENTS.md content tells AI agents rules apply to entire repository and to recursively read .ai-tidu9/skills
  • install.js overwrites existing AGENTS.md unless it finds a '## Skill' split point
Evidence against
  • No network APIs, child_process, eval/vm, dynamic require, native binary loading, credential reads, or exfiltration seen
  • Writes are limited to AGENTS.md and .ai-tidu9/browser.md within the package/project tree
  • No files listed outside package/project root such as home agent configs or shell startup files
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node .ai-tidu9/scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node .ai-tidu9/scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present