registry  /  cami-design  /  0.3.1

cami-design@0.3.1

Camille Pawlak's Claude Code design skill — layout, interaction, copy, and engineer modes for building, reviewing, and shipping interfaces with intent.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package automatically modifies the Claude Code skills control surface during npm postinstall by linking bundled first-party skills into the user's home directory. This is an agent extension lifecycle risk, but source inspection did not show exfiltration, remote payload execution, or stealth persistence.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install or npm uninstall lifecycle scripts; explicit npm run eval for network use
Impact
Claude Code skill set is changed automatically; existing target paths may be backed up to .bak
Mechanism
postinstall symlink setup for Claude skills
Rationale
Source confirms automatic first-party Claude skill setup during npm lifecycle, which warrants a warning under agent extension lifecycle policy. No concrete malicious chain such as credential theft, install-time network access, destructive behavior, or remote code execution was found.
Evidence
package.jsonscripts/install.jsscripts/uninstall.jsscripts/eval.jsREADME.mdskills/cami-design/SKILL.md~/.claude/skills~/.claude/skills/<bundled-skill>~/.claude/skills/<bundled-skill>.bak
Network endpoints1
api.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json runs scripts/install.js on postinstall and scripts/uninstall.js on preuninstall.
  • scripts/install.js creates ~/.claude/skills and symlinks every bundled skills/*/SKILL.md directory into it.
  • scripts/install.js replaces existing symlinks and renames real existing target paths to .bak before linking.
  • scripts/uninstall.js removes symlinks under ~/.claude/skills for bundled skill names.
  • scripts/eval.js can call api.anthropic.com with ANTHROPIC_API_KEY, but only via explicit npm eval scripts.
Evidence against
  • No install-time network calls found in scripts/install.js or scripts/uninstall.js.
  • No credential harvesting or exfiltration found; eval uses only ANTHROPIC_API_KEY for explicit Anthropic API requests.
  • No child_process, eval, Function, native binary, or dynamic remote code loading found.
  • Bundled skill files are design-review instructions and references, matching the package purpose.
  • README discloses that global install automatically links Claude Code slash commands.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 10.1 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
6Install-time AI-agent control hijack evidence: L6: const skillsDir = path.join(__dirname, "..", "skills"); L7: const targetDir = path.join(os.homedir(), ".claude", "skills"); L8: ... L14: L15: // Ensure ~/.claude/skills exists L16: fs.mkdirSync(targetDir, { recursive: true }); L17: Payload evidence from skills/cami-design/SKILL.md: L172: L173: - **Version**: the canonical version is `package.json`. Sub-skill `metadata.version` fields are intentionally absent — they never moved in lockstep with absorptions, so they were d... L174: - **Evolution**: this skill grows by absorbing techniques from upstream skills. Never copy blindly — run the eval corpus first, then cherry-pick into the relevant reference file, t...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L6
scripts/eval.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cami-design@0.3.0 matchedIdentity = npm:Y2FtaS1kZXNpZ24:0.3.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/eval.jsView on unpkg

Findings

1 Critical2 High4 Medium3 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltascripts/eval.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem