AI Security Review
scanned 3d ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle hook executes a native platform binary with the setup command. The documented setup mutates AI-agent control surfaces by installing a local MCP daemon/autostart service and agent plugins.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or global npm install that permits postinstall scripts
Impact
Unconsented install-time AI-agent tool/control-surface mutation and local persistent daemon registration
Mechanism
postinstall native binary setup for daemon and agent plugins
Policy narrative
Installing the package can run postinstall.js, which invokes bin.js setup. bin.js dispatches to the platform-specific native skyline binary. The README states setup installs a supervised always-on HTTP MCP daemon and best-effort installs marketplace plugins for AI agent CLIs, causing agent control-surface changes during package installation rather than only on explicit user invocation.
Rationale
The JS wrapper lacks exfiltration or destructive behavior, but the lifecycle hook automatically invokes setup that is documented to install a persistent MCP daemon and agent plugins. Under the firewall boundary, unconsented lifecycle AI-agent control-surface mutation is blocking behavior even when package-aligned. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md
Network endpoints1
127.0.0.1:7333
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
- package.json defines postinstall: node postinstall.js
- postinstall.js runs bin.js setup during install unless CI or SKYLINE_NO_AUTO_SETUP is set
- bin.js spawnSyncs the platform native skyline binary with inherited stdio
- README says skyline setup installs a supervised autostart daemon and best-effort installs agent CLI marketplace plugins
- README instructs agents to prefer skyline MCP tools and pause if skyline is unavailable
Evidence against
- No credential harvesting, exfiltration, destructive file deletion, eval, or remote download code found in JS wrapper
- Network references are documentation/repository links plus local daemon setup, not exfiltration endpoints
- The behavior is documented as part of the package's setup workflow
Behavioral surface
ChildProcessEnvironmentVars
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present