AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Global npm install triggers lifecycle code that plants a Claude Code skill in the user's home directory. This mutates a foreign AI-agent control surface outside the package directory.
Static reason
One or more suspicious static signals were detected.
Trigger
npm global install postinstall
Impact
Future Claude Code sessions may load package-supplied instructions for agent-code tasks
Mechanism
unconsented Claude Code skill installation
Policy narrative
On global installation, npm runs install.js as postinstall. The script creates ~/.claude/skills/agent-fender and copies package-supplied Claude skill instructions and references there, causing future Claude Code sessions to see and potentially activate those instructions for broad agent-related prompts.
Rationale
Although the content is product-aligned and there is no exfiltration or remote code execution, lifecycle-triggered writes into ~/.claude/skills are an unconsented mutation of a foreign AI-agent control surface. Under the install control-surface policy this is blockable AI-agent control hijack behavior.
Evidence
package.jsoninstall.jsSKILL.mdreferences/audit-examples.mdreferences/inline-patterns.mdreferences/library-integration.md~/.claude/skills/agent-fender/SKILL.md~/.claude/skills/agent-fender/references/audit-examples.md~/.claude/skills/agent-fender/references/inline-patterns.md~/.claude/skills/agent-fender/references/library-integration.md
Decision evidence
public snapshotAI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json defines postinstall: node install.js and bin points to install.js
- install.js writes package files into ~/.claude/skills/agent-fender on global postinstall
- install.js copies SKILL.md and references into Claude Code skill control surface without an interactive consent check
- SKILL.md is an agent instruction file activated by Claude Code for broad agent-code requests
Evidence against
- install.js skips postinstall for non-global npm installs
- No network requests, credential reads, shell execution, eval, or native/binary loading found
- Copied skill content is package-aligned safety-audit guidance rather than exfiltration or destructive instructions
Behavioral surface
EnvironmentVarsFilesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem