registry  /  @skylence-ai/skyline  /  1.0.57

@skylence-ai/skyline@1.0.57

Content-hash line editor — CLI and MCP server

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The npm postinstall hook automatically invokes skyline setup, which the package documentation describes as installing an autostart daemon and agent CLI plugins. That is unconsented install-time mutation of a broad AI-agent control surface.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install when lifecycle scripts are allowed
Impact
Can register persistent local MCP/agent integration during package installation without an explicit user command.
Mechanism
postinstall executes platform binary setup
Policy narrative
On install, package.json runs postinstall.js. That script launches node bin.js setup, and bin.js resolves and executes the platform-specific skyline binary from optional dependencies. The package README says this setup installs a supervised daemon and agent CLI plugins, wiring AI clients to a local MCP endpoint, so the install lifecycle can mutate AI-agent configuration/control surfaces without a separate user-invoked setup command.
Rationale
The reviewed JS wrapper has no direct exfiltration or payload obfuscation, but its lifecycle hook automatically triggers documented agent/daemon setup. Under the install control surface policy, unconsented postinstall mutation of broad AI-agent control surfaces is blocking. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md
Network endpoints2
127.0.0.1:7333/mcpgithub.com/skylence-be/binary-skyline

Decision evidence

public snapshot
AI called this Malicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node postinstall.js.
  • postinstall.js runs bin.js with setup during npm lifecycle unless CI or SKYLINE_NO_AUTO_SETUP is set.
  • bin.js resolves a platform optional package and spawnSync executes its skyline binary with inherited stdio.
  • README.md says skyline setup installs a supervised autostart daemon and best-effort installs agent CLI marketplace plugins.
  • README.md instructs registering an MCP server on localhost port 7333 for AI clients.
Evidence against
  • No JS source contains credential harvesting, file enumeration, fetch/http client code, eval/vm, or encoded payloads.
  • Network URLs in package source are documentation/repository links only.
  • Wrapper behavior is package-aligned CLI dispatch to declared optional platform packages.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.05 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin.jsView file
matchType = malicious_source_fingerprint_signature signature = 202b3dfd3937dab6 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @skylence-ai/skyline@1.0.56 matchedPath = bin.js matchedIdentity = npm:QHNreWxlbmNlLWFpL3NreWxpbmU:1.0.56 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin.jsView on unpkg

Findings

2 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Fingerprint Signaturebin.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present