registry  /  @trawlme/cli  /  1.18.3

@trawlme/cli@1.18.3

Trawl CLI — manage scraps from the terminal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack is present. Runtime CLI use can re-sync package-owned Claude skill directories; explicit skills commands can install or remove those directories.

Static reason
No blocking static signals were detected.
Trigger
A non-help `trawl` command after prior skill installation, or explicit `trawl skills install|update|uninstall`.
Impact
Modifies package-owned Claude skill directories that may later influence Claude Code behavior.
Mechanism
First-party Claude skill lifecycle management with marker-guarded filesystem writes.
Rationale
Source inspection supports a non-malicious but security-relevant first-party Claude skill lifecycle capability. Flag as warn under the stated policy rather than block.
Evidence
package.jsondist/index.jsdist/lib/skills.jsdist/commands/skills.jsdist/lib/api.jsdist/lib/posthog.js~/.claude/skills/<name>./.claude/skills/<name>
Network endpoints2
api.trawl.meeu.i.posthog.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` runs skill auto-sync on non-help CLI invocations.
  • `dist/lib/skills.js` copies bundled skills into `~/.claude/skills/<name>` or `./.claude/skills/<name>`.
  • `dist/lib/skills.js` auto-updates/removes only `.version`-marked CLI-owned skill directories.
  • `dist/commands/skills.js` exposes explicit install, update, and uninstall commands.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • No child-process, eval, VM, native-loader, or remote-code execution primitive found.
  • Network use is API traffic to Trawl and opt-out-capable PostHog command telemetry.
  • Skill overwrite/sync checks ownership markers and offers `TRAWL_SKILLS_SYNC=0` opt-out.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 114 KB of source, external domains: api.trawl.me, eu.i.posthog.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/index.js` runs skill auto-sync on non-help CLI invocations.

dist/index.jsView on unpkg
dist/lib/skills.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/lib/skills.js` copies bundled skills into `~/.claude/skills/<name>` or `./.claude/skills/<name>`.

dist/lib/skills.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/lib/skills.js` auto-updates/removes only `.version`-marked CLI-owned skill directories.

dist/lib/skills.jsView on unpkg
dist/commands/skills.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/commands/skills.js` exposes explicit install, update, and uninstall commands.

dist/commands/skills.jsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/index.js
MediumAi Review Evidencedist/lib/skills.js
MediumAi Review Evidencedist/lib/skills.js
MediumAi Review Evidencedist/commands/skills.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings