registry  /  cami-design  /  0.3.0

cami-design@0.3.0

Camille Pawlak's Claude Code design skill — layout, interaction, copy, and engineer modes for building, reviewing, and shipping interfaces with intent.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious chain was found, but npm install automatically mutates the user's Claude Code skills directory. This is package-aligned first-party agent extension setup, so it is a lifecycle risk rather than a publish-blocking control hijack.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; npm uninstall runs preuninstall
Impact
Installs bundled AI-agent skill instructions into the user's Claude environment without a separate explicit setup command.
Mechanism
Claude Code skill symlink installation into ~/.claude/skills
Rationale
Static inspection confirms install-time Claude skill installation, but the behavior is aligned with a Claude skill package and lacks credential harvesting, install-time network activity, or remote code execution. Per policy this should warn for first-party agent extension lifecycle risk, not block as malicious.
Evidence
package.jsonscripts/install.jsscripts/uninstall.jsscripts/eval.jsskills/cami-design/SKILL.mdskills/cami-design-engineer/SKILL.mdskills/~/.claude/skills
Network endpoints1
api.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall and preuninstall lifecycle scripts executing scripts/install.js and scripts/uninstall.js.
  • scripts/install.js creates ~/.claude/skills and symlinks every bundled skills/* directory into that Claude Code control surface.
  • scripts/install.js replaces existing symlinks and renames non-symlink collisions to .bak during npm install.
  • scripts/uninstall.js removes matching symlinks from ~/.claude/skills on uninstall.
Evidence against
  • The installed files are first-party bundled Claude skill directories, matching the package description and README usage.
  • No install-time network access, credential reads, shell execution, eval, native binary loading, or remote payload fetching found.
  • scripts/eval.js contacts api.anthropic.com only when explicitly run via npm eval scripts and requires ANTHROPIC_API_KEY.
  • Skill markdown appears design-review oriented; no prompt injection, exfiltration, persistence, or destructive instructions found.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 9.75 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
6Install-time AI-agent control hijack evidence: L6: const skillsDir = path.join(__dirname, "..", "skills"); L7: const targetDir = path.join(os.homedir(), ".claude", "skills"); L8: ... L14: L15: // Ensure ~/.claude/skills exists L16: fs.mkdirSync(targetDir, { recursive: true }); L17: Payload evidence from skills/cami-design/SKILL.md: L282: L283: - **Version**: the canonical version is `package.json`. Sub-skill `metadata.version` fields are intentionally absent — they never moved in lockstep with absorptions, so they were d... L284: - **Evolution**: this skill grows by absorbing techniques from upstream skills. Never copy blindly — run the eval corpus first, then cherry-pick into the relevant reference file, t...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L6

Findings

1 Critical1 High4 Medium3 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem