registry  /  @wowok/skills  /  1.1.12

@wowok/skills@1.1.12

WoWok AI Skills for Claude and other AI assistants - Helping AI use WoWok MCP tools correctly

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. npm postinstall unconditionally writes package-supplied AI-agent instruction files into the user's home-level Claude skills directory. An environment variable expands this install-time mutation to other AI-agent control surfaces.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Installing @wowok/skills@1.1.12 via npm
Impact
Package-controlled instructions can automatically influence installed AI-agent behavior beyond the consuming project.
Mechanism
postinstall copies AI-agent skill instructions into home-level control directories
Policy narrative
On npm postinstall, scripts/install.js copies 13 package-provided SKILL.md files into ~/.claude/skills/wowok-* by default. WOWOK_SKILLS_TARGETS can redirect the same install-time write to additional agent directories, including Codex, Cursor, and GitHub Copilot surfaces. The copied content includes always-loaded tool guidance, so this is a concrete unconsented lifecycle mutation of broad, foreign AI-agent control surfaces. No separate network or credential-exfiltration behavior was found.
Rationale
Source inspection confirms a postinstall hook modifies home-level AI-agent instruction directories outside the installed project. This meets the firewall block boundary for unconsented install-time mutation of a foreign/broad AI-agent control surface.
Evidence
package.jsonscripts/install.jsREADME.mdwowok-tools/SKILL.mdwowok-safety/SKILL.mddist/cli.jswowok-output/SKILL.md~/.claude/skills/wowok-*~/.codex/skills/wowok-*~/.agents/skills/wowok-*~/.cursor/rules/wowok-*.mdc~/.github/prompts/wowok-*.prompt.md

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json runs scripts/install.js in postinstall.
  • scripts/install.js defaults to writing 13 skills under ~/.claude/skills.
  • Lifecycle targets include ~/.codex, ~/.agents, ~/.cursor, and ~/.github.
  • Installer copies package-controlled SKILL.md instructions into agent control directories.
  • wowok-tools/SKILL.md is marked always: true and directs agent tool actions.
Evidence against
  • No network, shell execution, dynamic code loading, or credential harvesting found.
  • README.md documents the lifecycle behavior and explicit CLI alternatives.
  • preuninstall removes only named wowok-* skill directories.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 32.5 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
4Install-time AI-agent control hijack evidence: L4: * npm lifecycle integration: L5: * postinstall → copy SKILL.md folders to ~/.claude/skills/ (and more via env) L6: * preuninstall → remove SKILL.md folders from all installed client dirs ... L33: const CLIENT_DIRS = { L34: claude: path.join(os.homedir(), '.claude', 'skills'), L35: codex: path.join(os.homedir(), '.codex', 'skills'), L36: agents: path.join(os.homedir(), '.agents', 'skills'), ... L47: if (!fs.existsSync(src)) return false; L48: fs.mkdirSync(dest, { recursive: true }); L49: const entries = fs.readdirSync(src, { withFileTypes: true }); ... L55: } else { L56: fs.copyFileSync(srcPath, destPath); Payload evidence from wowok-messenger/SKILL.md: L136: | **Guarded** | `allowStrangerMessages: false`, guard list with 1-3 guards, friends list for known contacts | Service providers who want verified strangers only; customers discover... L137: | **Closed** | `allowStrangerMessages: false`, no guard list, friends-only | Private negotiations, internal team communication | L138: | **Defensive** | `allowStrangerMessages: true`, substantial blacklist | Users receiving harassment from specific addresses; open but monitoring |
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L4

Findings

1 Critical1 High3 Medium4 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings