AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The notable risk is explicit-user-command installation/removal of first-party agent skills into common agent skill directories.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs create bin, then generated pnpm dev/install:skills/remove:skills or install-skills add commands.
Impact
Can place or remove selected skill directories under user or project agent skill paths when invoked.
Mechanism
scaffold project and explicit agent skill install/remove helpers
Rationale
Source inspection shows a package-aligned scaffolding CLI with no lifecycle hooks or stealth behavior, but it ships explicit helpers that can install first-party skills into broad AI-agent skill directories. Per policy this is a warning-level agent extension lifecycle risk, not a publish-blocking malicious package.
Evidence
package.jsondist/cli.jsdist/chunk-RTBK52ND.jstemplates/default/package.jsontemplates/default/internal-scripts/install/dist/cli.jstemplates/default/internal-scripts/install/install-skills.shtemplates/default/internal-scripts/install/remove-skills.shtemplates/default/internal-scripts/install/lib/agent-targets.shtarget project directorytarget project/node_modules$HOME/.agents/skills$HOME/.codex/skills$HOME/.cursor/skills$HOME/.claude/skills<repo>/.agents/skills<repo>/.cursor/skills<repo>/.claude/skills
Network endpoints3
al4f.devgithub.com/al4f/skills-houseagentskills.io
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- templates/default/internal-scripts/install/install-skills.sh can write skills into $HOME/.agents/.codex/.cursor/.claude skill directories when explicitly run.
- templates/default/internal-scripts/install/remove-skills.sh removes matching installed skill directories with rm -rf when explicitly run.
- templates/default/internal-scripts/install/dist/cli.js can fetch @skills-house/skill-<name> via npm pack for explicit install-skills add.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- dist/cli.js only runs as bin create, scaffolds templates, and optionally runs pnpm install in the target project.
- No credential harvesting, hidden exfiltration, eval/vm, or remote code execution path found.
- Agent skill writes are in generated project scripts and explicit commands, not unconsented package install-time mutation.
- Network strings are docs/repository URLs plus npm pack for package-aligned skill installation.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
UrlStrings
Source & flagged code
2 flagged · loading sourcetemplates/default/internal-scripts/install/install-skills.shView file
•path = templates/default/internal-scripts/install/install-skills.sh
kind = build_helper
sizeBytes = 3177
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
templates/default/internal-scripts/install/install-skills.shView on unpkgtemplates/default/internal-scripts/install/dist/cli.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @skills-house/create@0.1.1
matchedIdentity = npm:QHNraWxscy1ob3VzZS9jcmVhdGU:0.1.1
similarity = 0.769
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
templates/default/internal-scripts/install/dist/cli.jsView on unpkgFindings
1 High2 Medium2 Low
HighPrevious Version Dangerous Deltatemplates/default/internal-scripts/install/dist/cli.js
MediumEnvironment Vars
MediumShips Build Helpertemplates/default/internal-scripts/install/install-skills.sh
LowFilesystem
LowUrl Strings