AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Installing the package automatically executes `skyline setup`. The invoked platform binary is documented to install an autostart daemon and marketplace plugins for AI-agent CLIs discovered on PATH, including hooks that control agent tool usage.
Decision evidence
public snapshot- `package.json` runs `node postinstall.js` at install time.
- `postinstall.js` invokes `bin.js setup` without user confirmation.
- `bin.js` resolves and runs a platform-specific binary with `setup`.
- `README.md` states setup installs an autostart daemon and plugins for agent CLIs on PATH.
- `README.md` says the plugin hooks constrain built-in `Write`, `Edit`, and `Bash` tools.
- Wrapper JS has no direct credential harvesting or network code.
- Postinstall exits in CI or with `SKYLINE_NO_AUTO_SETUP`.
- Setup failures are non-fatal and only emit a warning.
- No binary payload is included in this extracted package.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
bin.jsView on unpkg