registry  /  @skylence-ai/skyline  /  1.0.50

@skylence-ai/skyline@1.0.50

Content-hash line editor — CLI and MCP server

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code launches a native platform binary and runs setup. The documented setup mutates the local AI-agent environment by installing an autostart daemon and agent marketplace plugins.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install when lifecycle scripts are enabled
Impact
Unconsented install-time AI agent control-surface mutation and persistent local MCP daemon registration
Mechanism
postinstall-spawned native setup for daemon and agent plugin wiring
Policy narrative
Installing the package runs postinstall.js, which invokes bin.js setup through the packaged platform binary. The README states setup installs a supervised autostart HTTP daemon and best-effort installs Skyline marketplace plugins for agent CLIs. Even though this behavior is documented and package-aligned, doing it automatically from npm postinstall changes AI-agent control surfaces at install time without an explicit user command.
Rationale
The package is not a generic credential stealer, but its lifecycle hook performs the exact high-risk behavior of unconsented install-time AI-agent control-surface mutation. Because setup is automatically invoked from postinstall and documented to install agent plugins plus an autostart MCP daemon, this should be blocked. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md
Network endpoints2
127.0.0.1:<free-port>/mcpport 7333

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node postinstall.js.
  • postinstall.js runs bin.js with setup during install unless CI or SKYLINE_NO_AUTO_SETUP is set.
  • bin.js resolves a platform optional dependency and spawnSync executes its skyline binary with inherited stdio.
  • README.md says skyline setup installs a supervised autostart HTTP daemon and best-effort installs marketplace plugins for agent CLIs already on PATH.
  • README.md tells agents to prefer skyline MCP tools and not silently fall back when skyline is unavailable.
Evidence against
  • No direct credential harvesting, file enumeration, destructive code, or exfiltration appears in the JavaScript wrapper files.
  • Network references are package/documentation aligned and the described MCP endpoint is local.
  • The postinstall hook is documented as best-effort and can be skipped with CI or SKYLINE_NO_AUTO_SETUP.
  • No obfuscated strings, eval/vm/Function, or dynamic network download code found in this package source.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.05 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present