registry  /  @skylence-ai/skyline  /  1.0.69

@skylence-ai/skyline@1.0.69

Content-hash line editor — CLI and MCP server

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installation automatically invokes an opaque platform binary with `setup`. Documented setup installs a persistent daemon and marketplace plugins into agent CLIs detected on PATH, including hooks that redirect agent tooling.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm postinstall for @skylence-ai/skyline@1.0.69 when CI and SKYLINE_NO_AUTO_SETUP are unset
Impact
Mutates broad, third-party AI-agent control surfaces and establishes persistent local service behavior without an explicit setup command.
Mechanism
unconsented lifecycle-triggered agent-plugin and daemon setup
Policy narrative
On install, `postinstall.js` runs `bin.js setup`. The launcher resolves and executes a platform-specific binary. Package documentation states that setup installs a supervised autostart HTTP daemon and marketplace plugins for agent CLIs found on PATH; those plugins use hooks to steer agents away from built-in Write/Edit/Bash tools. This is an unconsented postinstall mutation path affecting foreign AI-agent control surfaces.
Rationale
The inspected wrapper establishes an automatic postinstall path into documented daemon and AI-agent plugin setup. The package does not need to harvest credentials for this to warrant blocking under the lifecycle control-surface policy.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md@skylence-ai/skyline-<platform>/skyline

Decision evidence

public snapshot
AI called this Malicious at 91.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` registers `postinstall`.
  • `postinstall.js` automatically runs `skyline setup` outside CI.
  • `bin.js` dispatches setup to a platform binary.
  • `README.md` says setup autostarts a daemon and installs agent plugins found on PATH.
  • `README.md` says plugin hooks redirect built-in agent tools.
Evidence against
  • Wrapper JavaScript contains no credential harvesting or network code.
  • No direct file writes, eval, or shell command construction appear in inspected JS.
  • The lifecycle hook can be disabled with `SKYLINE_NO_AUTO_SETUP`.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.05 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin.jsView file
matchType = malicious_source_fingerprint_signature signature = 202b3dfd3937dab6 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @skylence-ai/skyline@1.0.66 matchedPath = bin.js matchedIdentity = npm:QHNreWxlbmNlLWFpL3NreWxpbmU:1.0.66 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin.jsView on unpkg

Findings

2 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Fingerprint Signaturebin.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present