AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `bfi skills add`, `install`, or `update` (or another explicit CLI command).
Impact
A user-selected remote skill can gain capability through an agent-recognized skills directory; no install-time or stealth activation by this npm package was found.
Mechanism
Remote skill retrieval followed by copy/symlink installation into AI-agent skill paths.
Rationale
The package is not concretely malicious, but it explicitly manages AI-agent skill installation from remote sources and writes into agent-recognized directories. Per firewall policy, this is a warn-level agent capability risk rather than a publish block.
Evidence
package.jsonbin/bfi.mjsdist/cli.mjsdist/_chunks/agents.mjsskills/bfi-skill/SKILL.md~/.bfi/config.json~/.bfi/agents-cache.json~/.agents/skills
Network endpoints3
bfi.yyuap.com:811api.github.comskills.sh
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/cli.mjs` installs selected skill content into many AI-agent skill directories.
- `bfi skills add` accepts remote Git/SkillHub sources, then copies or symlinks them into agent paths.
- `dist/cli.mjs` sends configured `BFI_TOKEN`/stored token as Bearer auth to the selected registry.
- `dist/_chunks/agents.mjs` caches token-authorized remote agent definitions in `~/.bfi/agents-cache.json`.
Evidence against
- `package.json` has no npm install/preinstall/postinstall hook; `prepublishOnly` is publish-time only.
- `bin/bfi.mjs` only enables Node compile cache and imports the CLI when the user runs `bfi`.
- Agent-directory writes occur in explicit `skills add/install/update` command flows, with path traversal checks.
- No eval/vm payload execution, credential harvesting, stealth persistence, or unsolicited exfiltration was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/_chunks/libs/simple-git.mjsView file
6import { normalize } from "node:path";
L7: import { spawn } from "child_process";
L8: import { EventEmitter } from "node:events";
High
Child Process
Package source references child process execution.
dist/_chunks/libs/simple-git.mjsView on unpkg · L6dist/cli.mjsView file
17Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/simple-git.mjs; helper contains network access plus dynamic code execution.
L17: import { Writable } from "stream";
L18: import https from "node:https";
L19: import http from "node:http";
L20: import os$1 from "node:os";
L21: import zlib, { gunzipSync, inflateRawSync } from "node:zlib";
L22: import { promisify } from "util";
L23: import { execFile, execSync, spawn, spawnSync } from "child_process";
L24: import { access, chmod, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises";
...
L61: }
L62: async function isRepoPrivate(owner, repo) {
L63: try {
...
L295: function countVisualRowsForLines(lines, columns) {
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.mjsView on unpkg · L17Findings
3 High3 Medium5 Low
HighChild Processdist/_chunks/libs/simple-git.mjs
HighShell
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings