registry  /  @yangshengzhou/leafcli  /  1.0.1

@yangshengzhou/leafcli@1.0.1

请安装最新版本

Make any website or Electron App your CLI. AI-powered.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Installation silently provisions LeafCLI skill content into Claude Desktop and TRAE IDE directories. This is a first-party AI-extension lifecycle mutation, not a confirmed payload or data-exfiltration chain.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install executes the postinstall lifecycle hook.
Impact
Adds package-supplied AI instructions/capabilities to supported local AI tools without an install-time opt-in.
Mechanism
Copies package-owned skill directories and creates LeafCLI plugin metadata in AI-tool paths.
Rationale
The package has an install-time AI-tool control-surface mutation that merits a warning. Its writes remain LeafCLI-scoped and inspected source shows no concrete malicious behavior, so blocking as malware is not supported.
Evidence
package.jsonscripts/postinstall.jsdist/src/external.jsdist/src/update-check.jsskills/leafcli-browser/SKILL.mdskills/~/.claude/plugins/marketplaces/claude-plugins-official/plugins/leafcli/.claude-plugin/plugin.json~/.claude/plugins/marketplaces/claude-plugins-official/plugins/leafcli/skills/~/.trae-cn/builtin_skills/leafcli-*~/.leafcli/spotify.env

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `scripts/postinstall.js` on install.
  • `scripts/postinstall.js` creates `~/.claude/.../plugins/leafcli` and copies package skills without prompting.
  • `scripts/postinstall.js` also creates `~/.trae-cn/builtin_skills/leafcli-*` during installation.
  • `dist/src/external.js` can install and execute registered external CLIs only through runtime user commands.
Evidence against
  • Postinstall is local filesystem setup; it has no network or subprocess execution.
  • AI-tool writes are limited to named LeafCLI-owned directories and copy packaged skills only when absent.
  • No credential harvesting, secret reads, exfiltration, remote payload loading, or destructive behavior was found in inspected files.
  • `dist/src/update-check.js` contacts only the npm registry and GitHub for version notices during CLI runtime, not installation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,420 file(s), 6.63 MB of source, external domains: 127.0.0.1, 36kr.com, account.dianping.com, accounts.douban.com, accounts.google.com, accounts.pixiv.net, accounts.spotify.com, admin.xiaoe-tech.com, api.bilibili.com, api.chess.com, api.coingecko.com, api.dictionaryapi.dev, api.fda.gov, api.github.com, api.juejin.cn, api.llama.fi, api.m.jd.com, api.manus.im, api.npmjs.org, api.nuget.org, api.openalex.org, api.osv.dev, api.ruguoapp.com, api.semanticscholar.org, api.slock.ai, api.spotify.com, api.stackexchange.com, api.tvmaze.com, api.xiaoyuzhoufm.com, api.zsxq.com, api2.mubu.com, api2.openreview.net, app.cj.sina.com.cn, app.mercury.com, app.slock.ai, appxxxx.h5.xet.citv.cn, archive.org, arxiv.org, auth.1point3acres.com, auth.band.us, auth.openai.com, azuresearch-usnc.nuget.org, b23.tv, bbs.hupu.com, bid.powerchina.cn, blog.sina.com.cn, book.douban.com, cart.jd.com, cart.taobao.com, cdn1.suno.ai

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/external.jsView file
4import { fileURLToPath } from 'node:url'; L5: import { spawnSync, execFileSync } from 'node:child_process'; L6: import yaml from 'js-yaml';
High
Child Process

Package source references child process execution.

dist/src/external.jsView on unpkg · L4
172} L173: /** Quote a token for cmd.exe: wrap when it contains shell-significant chars, doubling inner quotes. */ L174: function quoteForCmdShell(token) {
High
Shell

Package source references shell execution.

dist/src/external.jsView on unpkg · L172
dist/src/browser/article-extract.jsView file
108' // guard (if typeof module === "object"), which is falsy here.', L109: ' const libs = (new Function(', L110: ' readabilitySrc + "\\n" + readerableSrc + "\\nreturn {" +',
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/browser/article-extract.jsView on unpkg · L108
dist/src/discovery.jsView file
180return; L181: await import(pathToFileURL(filePath).href).catch((err) => { L182: log.warn(`Failed to load module ${filePath}: ${getErrorMessage(err)}`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/discovery.jsView on unpkg · L180
clis/flomo/memos.jsView file
76params.sign = createHash('md5').update(signBase + '[redacted]').digest('hex'); L77: return 'https://flomoapp.com/api/v1/memo/updated/?' + new URLSearchParams(params).toString(); L78: } ... L85: if (!raw) return null; L86: const me = JSON.parse(raw); L87: const token = me?.access_token || me?.data?.access_token || '';
Low
Weak Crypto

Package source references weak cryptographic algorithms.

clis/flomo/memos.jsView on unpkg · L76
scripts/postinstall.jsView file
6Install-time AI-agent control hijack evidence: L9: * It installs leafcli skills to supported AI tools: L10: * - Claude Desktop: ~/.[redacted]-plugins-official/plugins/leafcli/skills/ L11: * - TRAE IDE: ~/.trae-cn/builtin_skills/ ... L13: L14: import { mkdirSync, writeFileSync, existsSync, readdirSync, statSync, copyFileSync, readFileSync } from 'node:fs'; L15: import { join, basename } from 'node:path'; ... L26: if (!existsSync(dest)) { L27: mkdirSync(dest, { recursive: true }); L28: } ... L35: } else { L36: copyFileSync(srcPath, destPath); L37: } Payload evidence from clis/antigravity/SKILL.md: L6: L7: This skill allows AI agents to control the [Antigravity](https://github.com/chengazhen/Antigravity) desktop app (and any Electron app with CDP enabled) programmatically via leafcli... L8:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L6
dist/src/cli.jsView file
99Cross-file remote execution chain: dist/src/cli.js spawns dist/src/browser/network-interceptor.js; helper contains network access plus dynamic code execution. L99: try { L100: body = JSON.parse(preview); L101: } ... L129: catch { L130: if (process.env.leafcli_VERBOSE) L131: log.warn(`[network] Failed to parse interceptor buffer: ${typeof raw === 'string' ? raw.slice(0, 200) : String(raw)}`); ... L143: } L144: /** Exit codes by network error code — usage errors vs runtime failures. */ L145: const NETWORK_ERROR_EXIT = { ... L147: invalid_filter: EXIT_CODES.USAGE_ERROR, L148: invalid_max_body: EXIT_CODES.USAGE_ERROR, L149: };
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/src/cli.jsView on unpkg · L99

Findings

1 Critical4 High5 Medium8 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/src/external.js
HighShelldist/src/external.js
HighCross File Remote Execution Contextdist/src/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/src/discovery.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/browser/article-extract.js
LowWeak Cryptoclis/flomo/memos.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings