AI Security Review
scanned 3d ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code launches a native platform binary and runs setup. The documented setup mutates the local AI-agent environment by installing an autostart daemon and agent marketplace plugins.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install when lifecycle scripts are enabled
Impact
Unconsented install-time AI agent control-surface mutation and persistent local MCP daemon registration
Mechanism
postinstall-spawned native setup for daemon and agent plugin wiring
Policy narrative
Installing the package runs postinstall.js, which invokes bin.js setup through the packaged platform binary. The README states setup installs a supervised autostart HTTP daemon and best-effort installs Skyline marketplace plugins for agent CLIs. Even though this behavior is documented and package-aligned, doing it automatically from npm postinstall changes AI-agent control surfaces at install time without an explicit user command.
Rationale
The package is not a generic credential stealer, but its lifecycle hook performs the exact high-risk behavior of unconsented install-time AI-agent control-surface mutation. Because setup is automatically invoked from postinstall and documented to install agent plugins plus an autostart MCP daemon, this should be blocked. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md
Network endpoints2
127.0.0.1:<free-port>/mcpport 7333
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
- package.json defines postinstall: node postinstall.js.
- postinstall.js runs bin.js with setup during install unless CI or SKYLINE_NO_AUTO_SETUP is set.
- bin.js resolves a platform optional dependency and spawnSync executes its skyline binary with inherited stdio.
- README.md says skyline setup installs a supervised autostart HTTP daemon and best-effort installs marketplace plugins for agent CLIs already on PATH.
- README.md tells agents to prefer skyline MCP tools and not silently fall back when skyline is unavailable.
Evidence against
- No direct credential harvesting, file enumeration, destructive code, or exfiltration appears in the JavaScript wrapper files.
- Network references are package/documentation aligned and the described MCP endpoint is local.
- The postinstall hook is documented as best-effort and can be skipped with CI or SKYLINE_NO_AUTO_SETUP.
- No obfuscated strings, eval/vm/Function, or dynamic network download code found in this package source.
Behavioral surface
ChildProcessEnvironmentVars
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present