AI Security Review
scanned 5h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious chain was found, but npm install automatically mutates the user's Claude Code skills directory. This is package-aligned first-party agent extension setup, so it is a lifecycle risk rather than a publish-blocking control hijack.
Decision evidence
public snapshot- package.json defines postinstall and preuninstall lifecycle scripts executing scripts/install.js and scripts/uninstall.js.
- scripts/install.js creates ~/.claude/skills and symlinks every bundled skills/* directory into that Claude Code control surface.
- scripts/install.js replaces existing symlinks and renames non-symlink collisions to .bak during npm install.
- scripts/uninstall.js removes matching symlinks from ~/.claude/skills on uninstall.
- The installed files are first-party bundled Claude skill directories, matching the package description and README usage.
- No install-time network access, credential reads, shell execution, eval, native binary loading, or remote payload fetching found.
- scripts/eval.js contacts api.anthropic.com only when explicitly run via npm eval scripts and requires ANTHROPIC_API_KEY.
- Skill markdown appears design-review oriented; no prompt injection, exfiltration, persistence, or destructive instructions found.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/install.jsView on unpkg · L6