registry  /  @tonyclaw/agent-inspector  /  2.0.39

@tonyclaw/agent-inspector@2.0.39

Agent observability and knowledge capture layer for AI coding tools.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code silently installs AI-agent onboarding skills when local Claude or Codex homes exist. This mutates agent control surfaces before explicit user invocation, even though the skill content is mostly package-aligned.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install / postinstall
Impact
Unconsented addition of Claude/Codex skills and slash command that can steer future AI-agent behavior and config edits.
Mechanism
postinstall spawns bundled CLI onboarding writer
Policy narrative
During postinstall, setup-agent-skills.mjs checks for existing Claude/Codex homes and runs the bundled CLI onboard command. The onboard code writes generated skill and command Markdown into Claude and Codex agent directories, making future agent sessions discover and potentially follow package-supplied operational instructions. The content is not overtly exfiltrative, but the mutation happens as an install side effect rather than a clearly user-invoked setup action.
Rationale
Static inspection confirms an unconsented install-time AI-agent control-surface mutation via postinstall, which is blockable under the review boundary even though the payload is package-aligned and not credential-stealing. No remote exfiltration or destructive behavior was found. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/setup-agent-skills.mjssrc/cli/onboard.tssrc/cli/templates/codex-skill-onboard.tssrc/cli/templates/skill-onboard.tssrc/cli/templates/command-onboard.tsbin/agent-inspector.js.output/cli.js~/.claude/skills/agent-inspector-onboard/SKILL.md~/.claude/commands/agent-inspector:onboard.md~/.codex/skills/agent-inspector-onboard/SKILL.md
Network endpoints3
localhost:25947/api/mcplocalhost:25947/proxyopencode.ai/config.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json postinstall runs scripts/setup-agent-skills.mjs automatically on install.
  • scripts/setup-agent-skills.mjs detects existing CLAUDE_HOME/CODEX_HOME or ~/.claude/~/.codex and spawns .output/cli.js onboard.
  • src/cli/onboard.ts writes generated skills/commands into ~/.claude/skills, ~/.claude/commands, and ~/.codex/skills.
  • src/cli/templates/codex-skill-onboard.ts is an AI-agent skill that instructs Codex to edit ~/.codex/config.toml and connect MCP.
  • src/cli/templates/skill-onboard.ts is an AI-agent skill/Claude command workflow that reads/wires provider and MCP config.
Evidence against
  • Onboarding content is package-aligned for an agent observability tool.
  • Templates contain cautions to avoid reading auth/token files and to ask before changing Codex config.
  • Network endpoints are localhost MCP/proxy URLs except documentation/repository/schema URLs.
  • No credential exfiltration, persistence daemon, destructive deletion, or remote payload fetch found in inspected files.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
WildcardDependency
scanned 211 file(s), 1.23 MB of source, external domains: 127.0.0.1, api-docs.deepseek.com, api.anthropic.com, api.deepseek.com, api.example.com, api.groq.com, api.minimaxi.com, api.openai.com, api.together.xyz, dashscope.aliyuncs.com, docs.bigmodel.cn, example.com, huggingface.co, nodejs.org, open.bigmodel.cn, opencode.ai, openrouter.ai, platform.minimaxi.com, www.w3.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/setup-windows-runtime.mjs && node scripts/setup-agent-skills.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/setup-windows-runtime.mjs && node scripts/setup-agent-skills.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/assets/agent-inspector.icoView file
path = src/assets/agent-inspector.ico kind = high_entropy_blob sizeBytes = 23504 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/agent-inspector.icoView on unpkg
src/cli/onboard.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @tonyclaw/agent-inspector@2.0.38 matchedIdentity = npm:[redacted]:2.0.38 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/cli/onboard.tsView on unpkg

Findings

1 Critical2 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltasrc/cli/onboard.ts
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobsrc/assets/agent-inspector.ico
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings