registry  /  @skylence-ai/skyline  /  1.0.73

@skylence-ai/skyline@1.0.73

Content-hash line editor — CLI and MCP server

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installation triggers an automatic `skyline setup` invocation. The invoked platform binary is documented to install an autostart daemon and plugins/hooks into AI-agent CLIs found on PATH, without an explicit user command.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm postinstall for @skylence-ai/skyline@1.0.73 outside CI
Impact
Can alter broad, foreign AI-agent control surfaces and persist a local background service during package installation.
Mechanism
unconsented lifecycle execution of agent-plugin and daemon setup
Policy narrative
On installation, npm runs `postinstall.js`, which invokes `bin.js setup` automatically for non-CI users. The wrapper launches a platform-specific Skyline binary. Package documentation identifies setup as installing a supervised autostart daemon and marketplace plugins/hooks for agent CLIs on PATH; those hooks redirect agents away from native editing and shell tools. This is an unconsented install-time mutation path affecting foreign, broad AI-agent control surfaces.
Rationale
The lifecycle code concretely performs automatic setup, and package source documents that setup modifies AI-agent CLIs and creates persistent daemon behavior. This meets the firewall block boundary for unconsented postinstall AI-agent control-surface mutation.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` registers `postinstall: node postinstall.js`.
  • `postinstall.js` automatically runs `bin.js setup` unless CI or `SKYLINE_NO_AUTO_SETUP` is set.
  • `bin.js` resolves and executes a platform-specific Skyline binary with the `setup` argument.
  • `README.md` states setup installs an autostart daemon and Skyline marketplace plugins for agent CLIs on PATH.
  • `README.md` says its Claude plugin uses hooks to steer agents away from built-in Write/Edit/Bash tools.
Evidence against
  • No JavaScript source reads credentials, harvests files, or performs network requests.
  • The wrapper uses fixed scoped platform-package names and forwards CLI arguments without shell interpolation.
  • The lifecycle hook warns on failure rather than retrying or hiding errors.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.05 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin.jsView file
matchType = malicious_source_fingerprint_signature signature = 202b3dfd3937dab6 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @skylence-ai/skyline@1.0.70 matchedPath = bin.js matchedIdentity = npm:QHNreWxlbmNlLWFpL3NreWxpbmU:1.0.70 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin.jsView on unpkg

Findings

2 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Fingerprint Signaturebin.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present