registry  /  @stbr/writer-style-skill  /  1.1.0

@stbr/writer-style-skill@1.1.0

A Claude Code skill: write original educational and long-form technical content in a specific author's voice — facts verified first, AI tells engineered out. Ships the kaue pack (Solana/Web3).

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates a Claude Code control surface during npm postinstall. It plants package-supplied skills, agents, and slash commands into the installing project's .claude directory without an explicit user command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @stbr/writer-style-skill@1.1.0
Impact
Unconsented lifecycle installation of AI-agent instructions and commands into a consumer project, causing Claude Code to discover and use package-supplied control content.
Mechanism
postinstall recursive copy into .claude agent control directories
Policy narrative
On npm install, the postinstall script resolves the consumer project via INIT_CWD or cwd, creates .claude under that project, and copies bundled skills, agents, and commands there. This is a lifecycle-triggered mutation of Claude Code's project control surface, not merely a user-invoked CLI install.
Rationale
Static inspection confirms unconsented postinstall writes into a foreign/broad AI-agent control surface (.claude/skills, .claude/agents, .claude/commands), which is blockable under the install control surface policy even though the content is package-aligned. No exfiltration or remote code download was found, so the verdict is based on AI-agent control hijack rather than classic malware.
Evidence
package.jsonbin/install.js.claude-plugin/plugin.json.claude-plugin/marketplace.jsoncommands/write-in-voice.mdcommands/validate-voice.mdcommands/profile-corpus.mdskills/writer-style/tools/validate_voice.pyskills/writer-style/tools/profile_corpus.py.claude/skills//.claude/agents//.claude/commands/skills/writer-style/agents/commands/

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/install.js
  • bin/install.js uses INIT_CWD/process.cwd to target consumer project root
  • bin/install.js recursively copies package skills, agents, and commands into project .claude/
  • Dropped commands include write-in-voice, validate-voice, new-persona, profile-corpus for Claude Code
  • Install script also invokes child_process.execSync('python3 --version') during postinstall
Evidence against
  • No credential harvesting or environment secret reads found
  • No network calls or remote payload download in install.js
  • Python tools are local validators/profilers using stdlib-style file processing
  • Claude plugin manifests are metadata only and do not register remote MCP servers
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.21 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install.jsView file
1Install-time AI-agent control hijack evidence: L4: // Vendors the writer-style skill (self-contained: skill + agents + commands) into a L5: // project's ./.claude/ so Claude Code discovers it. Node core only — no dependencies. L6: // Runs automatically on `npm install @stbr/writer-style-skill`, or on demand via ... L21: if (stat.isDirectory()) { L22: fs.mkdirSync(dst, { recursive: true }); L23: for (const name of fs.readdirSync(src)) { ... L27: } else { L28: fs.mkdirSync(path.dirname(dst), { recursive: true }); L29: fs.copyFileSync(src, dst); L30: } ... L34: const projectRoot = process.env.INIT_CWD || process.cwd(); L35: const claudeDir = path.join(projectRoot, ".claude"); Payload evidence from skills/writer-style/SKILL.md: L1: --- L2: name: writer-style
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/install.jsView on unpkg · L1
skills/writer-style/tools/style_lexicons.pyView file
path = skills/writer-style/tools/style_lexicons.py kind = build_helper sizeBytes = 12761 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/writer-style/tools/style_lexicons.pyView on unpkg

Findings

1 Critical1 High4 Medium3 Low
CriticalAi Agent Control Hijackbin/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperskills/writer-style/tools/style_lexicons.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings