registry  /  @skylence-ai/skyline  /  1.0.52

@skylence-ai/skyline@1.0.52

Content-hash line editor — CLI and MCP server

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle hook executes a native platform binary with the setup command. The documented setup mutates AI-agent control surfaces by installing a local MCP daemon/autostart service and agent plugins.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or global npm install that permits postinstall scripts
Impact
Unconsented install-time AI-agent tool/control-surface mutation and local persistent daemon registration
Mechanism
postinstall native binary setup for daemon and agent plugins
Policy narrative
Installing the package can run postinstall.js, which invokes bin.js setup. bin.js dispatches to the platform-specific native skyline binary. The README states setup installs a supervised always-on HTTP MCP daemon and best-effort installs marketplace plugins for AI agent CLIs, causing agent control-surface changes during package installation rather than only on explicit user invocation.
Rationale
The JS wrapper lacks exfiltration or destructive behavior, but the lifecycle hook automatically invokes setup that is documented to install a persistent MCP daemon and agent plugins. Under the firewall boundary, unconsented lifecycle AI-agent control-surface mutation is blocking behavior even when package-aligned. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md
Network endpoints1
127.0.0.1:7333

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js runs bin.js setup during install unless CI or SKYLINE_NO_AUTO_SETUP is set
  • bin.js spawnSyncs the platform native skyline binary with inherited stdio
  • README says skyline setup installs a supervised autostart daemon and best-effort installs agent CLI marketplace plugins
  • README instructs agents to prefer skyline MCP tools and pause if skyline is unavailable
Evidence against
  • No credential harvesting, exfiltration, destructive file deletion, eval, or remote download code found in JS wrapper
  • Network references are documentation/repository links plus local daemon setup, not exfiltration endpoints
  • The behavior is documented as part of the package's setup workflow
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.05 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present