AI Security Review
scanned 2d ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code invokes a native platform binary with the setup command. The documented setup mutates the AI-agent control surface by installing an autostart MCP daemon and agent plugins.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or global install when lifecycle scripts run
Impact
Unconsented install-time agent tooling and daemon registration may alter future AI-agent behavior.
Mechanism
postinstall delegates to platform binary setup
Policy narrative
On install, package.json runs postinstall.js. That script skips only in CI or when SKYLINE_NO_AUTO_SETUP is set, otherwise spawning node bin.js setup. bin.js resolves and executes the platform-specific skyline binary from optionalDependencies. The README documents that setup installs a supervised autostart HTTP MCP daemon and installs Skyline marketplace plugins for agent CLIs, then tells agents to prefer those tools. That is a concrete install-time AI-agent control-surface mutation, even though no secret theft or exfiltration is visible in the JS wrapper.
Rationale
The inspected package source establishes install-time execution of setup, and the package documentation states setup installs daemon and agent plugins affecting AI-agent behavior. This matches the firewall decision boundary for unconsented lifecycle AI-agent control-surface mutation despite otherwise package-aligned behavior. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md
Network endpoints1
127.0.0.1:<free-port>/mcp
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
- package.json defines postinstall: node postinstall.js
- postinstall.js runs bin.js setup during install unless CI or SKYLINE_NO_AUTO_SETUP is set
- bin.js resolves an optional platform package and spawnSync executes its skyline binary with inherited stdio
- README.md states skyline setup installs a supervised autostart HTTP daemon and best-effort installs agent marketplace plugins
- README.md includes agent instructions to prefer skyline tools and avoid fallback when unavailable
Evidence against
- No credential harvesting, filesystem secret reads, or exfiltration code in inspected JS wrapper files
- No external network endpoints are contacted by package JS source
- Lifecycle hook is documented as best-effort setup and can be skipped with SKYLINE_NO_AUTO_SETUP
- The wrapper delegates to named platform optionalDependencies rather than downloading code dynamically
Behavioral surface
ChildProcessEnvironmentVars
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present