AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack is established. The CLI explicitly installs a first-party `.agents` control surface and can import/run externally sourced skill scripts after user commands and a force gate.
Static reason
No blocking static signals were detected.
Trigger
User runs `agentesk init`, `install`, `update`, `skill add`, or forced `skill run`.
Impact
Can alter project agent guidance and execute an imported skill script when the user explicitly forces it.
Mechanism
Project-local agent-template installation plus explicit GitHub skill import and gated script execution.
Rationale
Source shows explicit project agent-control-surface setup and optional remote skill execution, so policy calls for a warning. No concrete malicious chain or unconsented install-time behavior was found.
Evidence
apps/cli/package.jsonapps/cli/src/commands/install.jsapps/cli/src/commands/update.jsapps/cli/src/commands/external-skill.jsapps/cli/src/commands/sandbox.jstemplates/project/.agents/scripts/init_project.pyAGENTS.md.agents/.agents/skills/external/
Network endpoints2
api.github.comraw.githubusercontent.com
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `install`/`init` copy `AGENTS.md` and `.agents/` into the selected project.
- `update` overwrites managed `.agents` files on an explicit CLI command.
- External-skill import downloads selected GitHub skill files into `.agents/skills/external`.
- `skill run` executes imported `.py`, `.js`, `.mjs`, or `.sh` only with `--force`.
Evidence against
- Root and CLI manifests contain no `preinstall`, `install`, or `postinstall` hook.
- CLI entrypoint only dispatches user-supplied commands; imports and writes are not automatic.
- Network use is limited to explicit GitHub registry/skill operations.
- Template Python helpers are readable project-local setup/validation scripts; no payload or exfiltration was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicenseWildcardDependency
Source & flagged code
2 flagged · loading sourcetemplates/project/.agents/scripts/init_project.pyView file
•path = templates/project/.agents/scripts/init_project.py
kind = payload_in_excluded_dir
sizeBytes = 1657
magicHex = [redacted]
High
Payload In Excluded Dir
Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
templates/project/.agents/scripts/init_project.pyView on unpkg•path = templates/project/.agents/scripts/init_project.py
kind = build_helper
sizeBytes = 1657
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
templates/project/.agents/scripts/init_project.pyView on unpkgFindings
1 High5 Medium5 Low
HighPayload In Excluded Dirtemplates/project/.agents/scripts/init_project.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/project/.agents/scripts/init_project.py
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License