registry  /  @yuanze_dev/cli  /  0.5.1

@yuanze_dev/cli@0.5.1

原则 CLI:飞书登录后自动把公司授权的 Agent Skills 同步进 Claude Code / Codex / OpenClaw

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack behavior. The package is a user-invoked agent skill distribution CLI that can modify agent skill directories and scheduler/hook configuration after login.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `yz-cli login`, `yz-cli skills sync/install/info`, `yz-cli update`, or `yz-cli api`.
Impact
User-authorized agent skills may be installed and kept updated; compromise of the package backend or manifest could affect agent behavior.
Mechanism
Authenticated skill sync and agent extension setup
Rationale
Static inspection found no lifecycle hook abuse, stealth persistence, destructive behavior, or covert credential exfiltration; the risky primitives are explicit user-command agent skill setup aligned with the package description. Because it mutates AI-agent control surfaces and schedules ongoing sync after login, warn rather than block.
Evidence
package.jsondist/index.js~/.yz/credentials.json~/.yz/service-token.json~/.yz/state.json~/.yz/skills~/.yz/cache/skills~/.claude/settings.json~/.claude/skills~/.codex/skills~/.openclaw/skills~/Library/LaunchAgents/dev.yuanze.yzcli.sync.plist~/.config/systemd/user/yzcli-sync.service~/.config/systemd/user/yzcli-sync.timeruser crontabWindows Scheduled Task yz-cli skills sync
Network endpoints3
alifc.lusun.com/yz-cli/prodyz-cli.oss-cn-beijing.aliyuncs.com/cliregistry.npmjs.org/@yuanze_dev%2Fcli/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js writes Claude Code SessionStart hook command `yz-cli skills sync --quiet --if-stale 1h` during `login`
  • dist/index.js registers hourly sync via launchd/systemd/crontab/Windows Scheduled Task after user login
  • dist/index.js downloads skill tarballs from server-provided URLs and extracts them into `~/.yz/skills` after SHA-256 check
  • dist/index.js links or copies managed skills into `~/.claude/skills`, `~/.codex/skills`, and `~/.openclaw/skills`
  • dist/index.js stores service client secret when `login --client-id --client-secret` is used
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • Agent hook and scheduler setup are invoked by explicit `yz-cli login`, not npm install or import
  • Network endpoints align with package purpose: auth, manifest, skill download, sync reporting, update checks
  • Existing non-yz-managed skill directories are skipped rather than overwritten
  • Downloaded skill artifacts are hash-checked against manifest metadata before extraction
  • No credential harvesting or covert exfiltration beyond user-authenticated API/report calls found
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 1 file(s), 41.8 KB of source, external domains: 127.0.0.1, alifc.lusun.com, registry.npmjs.org, www.apple.com, yz-cli.oss-cn-beijing.aliyuncs.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
1#!/usr/bin/env node L2: import{Command as e}from"commander";import t from"picocolors";import{z as n}from"zod";import{chmodSync as r,closeSync as i,copyFileSync as a,cpSync as o,existsSync as s,lstatSync a... L3: `)):ne(n,c,`dir`),r.linked.push(c)}return r}function $e(e){try{return c(e).isSymbolicLink()}catch{return!1}}function L(e,t){let n=new Set(t);for(let t of Ye)n.add(v(t.skillsDir(),e...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: import{Command as e}from"commander";import t from"picocolors";import{z as n}from"zod";import{chmodSync as r,closeSync as i,copyFileSync as a,cpSync as o,existsSync as s,lstatSync a... L3: `)):ne(n,c,`dir`),r.linked.push(c)}return r}function $e(e){try{return c(e).isSymbolicLink()}catch{return!1}}function L(e,t){let n=new Set(t);for(let t of Ye)n.add(v(t.skillsDir(),e... ... L8: `):[]}catch{return[]}}function jt(e){try{return b(`crontab`,[`-`],{input:`${e.join(` L9: `)}\n`,stdio:[`pipe`,`ignore`,`ignore`]}),!0}catch{return!1}}function Mt(){let{program:e,prefix:n}=H(),r=`0 * * * * ${[e,...n,...V].map(kt).join(` `)} >> ${kt(ht())} 2>&1 # ${K}`,i... L10: 正在接线本机 agent…`),Vt(),console.log(`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: import{Command as e}from"commander";import t from"picocolors";import{z as n}from"zod";import{chmodSync as r,closeSync as i,copyFileSync as a,cpSync as o,existsSync as s,lstatSync a... L3: `)):ne(n,c,`dir`),r.linked.push(c)}return r}function $e(e){try{return c(e).isSymbolicLink()}catch{return!1}}function L(e,t){let n=new Set(t);for(let t of Ye)n.add(v(t.skillsDir(),e... L4: ---`),console.log(`[yz-cli] ${n.name}@${n.version}(${n.displayName})`),o.length){console.log(`[yz-cli] 附属文件(用你的文件工具按需读取):`);for(let e of o)console.log(e)}console.error(t.dim(`(来源:$... L5: `),o=gt();l(_(o),{recursive:!0}),g(o,a);let s=`gui/${process.getuid?.()??0}`;return U([`bootout`,`${s}/${B}`]),U([`bootstrap`,s,o])||U([`load`,`-w`,o])?t.green(`✓ launchd 定时同步已注册(每... ... L8: `):[]}catch{return[]}}function jt(e){try{return b(`crontab`,[`-`],{input:`${e.join(` L9: `)}\n`,stdio:[`pipe`,`ignore`,`ignore`]}),!0}catch{return!1}}function Mt(){let{program:e,prefix:n}=H(),r=`0 * * * * ${[e,...n,...V].map(kt).join(` `)} >> ${kt(ht())} 2>&1 # ${K}`,i... L10: 正在接线本机 agent…`),Vt(),console.log(`
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1

Findings

2 High3 Medium5 Low
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License