AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package provides an explicit CLI command that installs a package-owned global agent skill and exposes it to Claude Code via symlink. No install-time execution or unconsented broad control-surface mutation is present.
Static reason
No blocking static signals were detected.
Trigger
User runs `dingtalk-agent skill install`, `upgrade`, or `uninstall`.
Impact
Changes future agent-session behavior through package-owned skill content.
Mechanism
Managed global skill copy and Claude Code skill symlink.
Rationale
The source implements first-party global agent-skill setup behind explicit user commands, so it warrants a warning under the extension lifecycle policy. No concrete malicious chain was found.
Evidence
package.jsondist/bin/dingtalk-agent.jsdist/src/skill-manager.jsdist/src/dws.jsskills/dingtalk-basic-behavior/SKILL.mdskills/dingtalk-basic-behavior~/.agents/skills/dingtalk-basic-behavior~/.claude/skills/dingtalk-basic-behavior
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- Explicit `skill install` copies a bundled skill into `~/.agents/skills/dingtalk-basic-behavior`.
- The same command creates `~/.claude/skills/dingtalk-basic-behavior` symlink.
- Skill lifecycle code can upgrade or uninstall only its marker-managed paths.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- Global skill mutation is reachable only through explicit `dingtalk-agent skill` subcommands.
- `skill-manager.js` rejects unmanaged/conflicting paths and modified managed installs.
- No direct network URLs, credential harvesting, eval/vm use, or remote payload loading found.
- DingTalk access is delegated to explicitly invoked external `dws` commands.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
4 Medium3 Low
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidence
MediumSuspicious Lifecycle Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings