registry  /  @weloin/claude-skills  /  0.2.0

@weloin/claude-skills@0.2.0

Weloin's Claude Code skills library + cross-platform installer (symlinks skills into ~/.claude/skills)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Package provides a Claude Code skill installer with lifecycle sync for previously managed installs. Risk is agent extension lifecycle mutation of package-owned skills, not confirmed malware.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall sync for existing manifest entries, or explicit weloin-skills install commands
Impact
Can update installed Claude Code skill instructions through package updates; no confirmed exfiltration or destructive behavior found.
Mechanism
symlink/copy package skills into Claude Code skills directory and maintain manifest
Rationale
The package mutates Claude Code extension state only for package-owned skills and mainly via explicit user commands or manifest-managed postinstall sync, so it is risky but not a concrete malicious hijack. No credential harvesting, network endpoints, destructive actions, or remote payload execution were found in inspected source.
Evidence
package.jsonbin/cli.mjsREADME.mdskills/project-setup/SKILL.mdskills/project-setup/references/04-agents.mdskills/project-setup/references/templates.md~/.claude/skills/<skill>~/.claude/weloin-skills.json.claude/agents/*.md

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node bin/cli.mjs sync --silent.
  • bin/cli.mjs can symlink/copy package skills into ~/.claude/skills and write ~/.claude/weloin-skills.json.
  • README.md documents symlinked skills update when npm package/repo updates.
  • skills/project-setup/references/04-agents.md instructs creating .claude/agents/*.md during explicit skill workflow.
Evidence against
  • postinstall sync only re-links entries already present in the package manifest; first install with empty manifest exits without installing skills.
  • bin/cli.mjs has no network, child_process, eval/vm, native binary, or dynamic remote loading.
  • bin/cli.mjs treats existing non-managed target dirs as foreign and skips unless explicit --force is used.
  • Skill files appear to be project setup instructions, not credential harvesting or exfiltration payloads.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 8.76 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/cli.mjs sync --silent
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/cli.mjs sync --silent
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cli.mjsView file
1Install-time AI-agent control hijack evidence: L2: /** L3: * weloin-skills — install Claude Code skills from this package into ~/.claude/skills L4: * ... L21: const SKILLS_SRC = path.join(PKG_ROOT, 'skills'); L22: const TARGET_DIR = process.env.WELOIN_SKILLS_TARGET || path.join(os.homedir(), '.claude', 'skills'); L23: const MANIFEST = process.env.WELOIN_SKILLS_MANIFEST || path.join(os.homedir(), '.claude', 'weloin-skills.json'); L24: const IS_WIN = process.platform === 'win32'; ... L66: L67: // state of ~/.claude/skills/<name>: none | linked (ours) | copy (per manifest) | foreign L68: function targetState(name, src) { ... L87: function saveManifest(m) { L88: fs.mkdirSync(path.dirname(MANIFEST), { recursive: true }); Payload evidence from skills/project-setup/SKILL.md: L1: --- L2: name: weloin:project-setup
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/cli.mjsView on unpkg · L1

Findings

1 Critical1 High3 Medium2 Low
CriticalAi Agent Control Hijackbin/cli.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem