registry  /  cami-design  /  0.3.4

cami-design@0.3.4

Camille Pawlak's Claude Code design skill — layout, interaction, copy, and engineer modes for building, reviewing, and shipping interfaces with intent.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Postinstall mutates the user's Claude Code skill control surface. It discovers bundled skills, creates ~/.claude/skills, and links package-controlled instructions there.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation
Impact
Package-controlled AI-agent instructions become active in the user's Claude environment; existing skill paths may be renamed and replaced.
Mechanism
Automatic postinstall deployment of package-supplied Claude skills
Policy narrative
On npm installation, the package creates ~/.claude/skills and symlinks all bundled skill directories into it. If a target name already exists as a regular file or directory, it renames it to .bak before activating the package-controlled replacement. This is an unconsented postinstall mutation of a broad external AI-agent control surface.
Rationale
The source confirms the scanner’s core finding: postinstall automatically installs package-controlled Claude skills into the user’s global Claude configuration. Under the firewall policy, that concrete unconsented control-surface mutation warrants blocking even though no separate exfiltration chain was found.
Evidence
package.jsonscripts/install.jsscripts/uninstall.jsscripts/eval.jsskills/cami-design/SKILL.mdskills/cami-design-copy/SKILL.mdskills/cami-design-engineer/SKILL.mdskills/cami-design-interaction/SKILL.mdskills/cami-design-layout/SKILL.md~/.claude/skills

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json runs scripts/install.js as postinstall.
  • scripts/install.js creates ~/.claude/skills during installation.
  • scripts/install.js symlinks every bundled skill into ~/.claude/skills.
  • Existing non-symlink skill paths are renamed to .bak before replacement.
  • The mutation occurs without an explicit user command.
Evidence against
  • No install-time network, credential harvesting, shell execution, or remote payload loading was found.
  • scripts/eval.js calls only api.anthropic.com and is user-invoked, not lifecycle-triggered.
  • scripts/uninstall.js removes only symlinks under the same Claude skills target.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 10.1 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
6Install-time AI-agent control hijack evidence: L6: const skillsDir = path.join(__dirname, "..", "skills"); L7: const targetDir = path.join(os.homedir(), ".claude", "skills"); L8: ... L14: L15: // Ensure ~/.claude/skills exists L16: fs.mkdirSync(targetDir, { recursive: true }); L17: Payload evidence from skills/cami-design/SKILL.md: L172: L173: - **Version**: the canonical version is `package.json`. Sub-skill `metadata.version` fields are intentionally absent — they never moved in lockstep with absorptions, so they were d... L174: - **Evolution**: this skill grows by absorbing techniques from upstream skills. Never copy blindly — run the eval corpus first, then cherry-pick into the relevant reference file, t...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L6

Findings

1 Critical1 High4 Medium3 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem