AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `agentesk skill add`/`skill update`, then `agentesk skill run <name> <script> --force`.
Impact
A reviewed-but-untrusted imported skill can achieve code execution with the invoking user's permissions.
Mechanism
Downloads remote skill content and launches selected scripts via Python, Node, or Bash.
Rationale
This is a legitimate agent/skill management tool, not a concrete malicious package. However, it exposes an explicit remote-code import-and-run capability whose safeguards are insufficient to establish a clean verdict.
Evidence
package.jsonsrc/commands/external-skill.jssrc/commands/sandbox.jssrc/lib/registry.jstemplates/project/.agents/scripts/checklist.py.agents/skills/external/<repository>/<skill>.agents/registry/skills-lock.json.agents/registry/registries.json
Network endpoints2
api.github.comraw.githubusercontent.com
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/commands/external-skill.js` downloads every file in a user-selected GitHub skill directory.
- `src/commands/sandbox.js` executes imported `.py`, `.js`, `.mjs`, or `.sh` files after explicit `--force`.
- The execution environment restricts `HOME` but does not provide an OS/network sandbox.
- Imported skill audit is regex-based; failing audits can be bypassed with `--force`.
Evidence against
- `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
- CLI import is inert until the user explicitly invokes `skill add` or `skill update`.
- Bundled templates only provide project-local agent files and verification helpers; no covert network or credential collection found.
- GitHub requests use an optional `GITHUB_TOKEN` only as an authorization header to GitHub endpoints.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcetemplates/project/.agents/scripts/init_project.pyView file
•path = templates/project/.agents/scripts/init_project.py
kind = payload_in_excluded_dir
sizeBytes = 1657
magicHex = [redacted]
High
Payload In Excluded Dir
Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
templates/project/.agents/scripts/init_project.pyView on unpkg•path = templates/project/.agents/scripts/init_project.py
kind = build_helper
sizeBytes = 1657
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
templates/project/.agents/scripts/init_project.pyView on unpkgFindings
1 High4 Medium4 Low
HighPayload In Excluded Dirtemplates/project/.agents/scripts/init_project.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/project/.agents/scripts/init_project.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings