registry  /  @skylence-ai/skyline  /  1.0.66

@skylence-ai/skyline@1.0.66

Content-hash line editor — CLI and MCP server

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package automatically executes `skyline setup`. The invoked platform binary is documented to install an autostart daemon and marketplace plugins for AI-agent CLIs discovered on PATH, including hooks that control agent tool usage.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm postinstall during package installation
Impact
Mutates broad AI-agent control surfaces and establishes a persistent local daemon without an explicit setup command.
Mechanism
Unconsented install-time invocation of agent/daemon setup
Policy narrative
The package's postinstall hook starts `skyline setup` automatically. Its launcher delegates setup to a platform binary; the package documentation describes that setup as installing a supervised autostart daemon and Skyline plugins for agent CLIs found on PATH. The documented plugin hooks redirect or restrict built-in AI-agent tools. This is an unconsented install-time mutation of a foreign, broad AI-agent control surface rather than a user-invoked setup action.
Rationale
The wrapper source establishes an automatic install-time path into documented agent-plugin and persistent-daemon setup. Although the binary is absent and no exfiltration is shown, this meets the blocking boundary for unconsented postinstall mutation of a broad AI-agent control surface.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node postinstall.js` at install time.
  • `postinstall.js` invokes `bin.js setup` without user confirmation.
  • `bin.js` resolves and runs a platform-specific binary with `setup`.
  • `README.md` states setup installs an autostart daemon and plugins for agent CLIs on PATH.
  • `README.md` says the plugin hooks constrain built-in `Write`, `Edit`, and `Bash` tools.
Evidence against
  • Wrapper JS has no direct credential harvesting or network code.
  • Postinstall exits in CI or with `SKYLINE_NO_AUTO_SETUP`.
  • Setup failures are non-fatal and only emit a warning.
  • No binary payload is included in this extracted package.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.05 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin.jsView file
matchType = malicious_source_fingerprint_signature signature = 202b3dfd3937dab6 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @skylence-ai/skyline@1.0.67 matchedPath = bin.js matchedIdentity = npm:QHNreWxlbmNlLWFpL3NreWxpbmU:1.0.67 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin.jsView on unpkg

Findings

2 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Fingerprint Signaturebin.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present