registry  /  cami-design  /  0.4.0

cami-design@0.4.0

Camille Pawlak's Claude Code design skill — layout, interaction, copy, and engineer modes for building, reviewing, and shipping interfaces with intent.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Postinstall mutates the Claude Code skill directory by linking bundled skill folders. It can replace or back up same-named local entries, but no exfiltration or remote execution chain is present.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm postinstall; preuninstall removes installed symlinks.
Impact
Package installation changes local AI-agent skill discovery for the package's five named skills.
Mechanism
First-party Claude Code skill lifecycle installation via symlinks.
Rationale
This is not concrete malware: the networked evaluator is user-invoked and no payload execution, exfiltration, or stealth persistence was found. The documented postinstall mutation of Claude Code's skill directory remains a lifecycle extension risk requiring a warning.
Evidence
package.jsonscripts/install.jsscripts/uninstall.jsscripts/eval.jsREADME.mdskills/cami-design/SKILL.mdskills/cami-design-copy/SKILL.mdskills/cami-design-engineer/SKILL.mdskills/cami-design-interaction/SKILL.mdskills/cami-design-layout/SKILL.md~/.claude/skills
Network endpoints1
api.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `scripts/install.js` as `postinstall`.
  • `scripts/install.js` creates `~/.claude/skills` and symlinks all bundled skills there.
  • Installer replaces same-named symlinks and renames non-symlink destinations to `.bak`.
  • `scripts/uninstall.js` deletes symlinks under `~/.claude/skills`.
Evidence against
  • Bundled targets are package-aligned skill names discovered from `skills/*/SKILL.md`.
  • `README.md` explicitly documents global installation and Claude Code skill linking.
  • No child-process, shell, dynamic-code, credential-harvesting, or remote-payload behavior found.
  • `scripts/eval.js` contacts only `api.anthropic.com` when explicitly run and uses `ANTHROPIC_API_KEY` for that request.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 10.1 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
6Install-time AI-agent control hijack evidence: L6: const skillsDir = path.join(__dirname, "..", "skills"); L7: const targetDir = path.join(os.homedir(), ".claude", "skills"); L8: ... L14: L15: // Ensure ~/.claude/skills exists L16: fs.mkdirSync(targetDir, { recursive: true }); L17: Payload evidence from skills/cami-design/SKILL.md: L173: L174: - **Version**: the canonical version is `package.json`. Sub-skill `metadata.version` fields are intentionally absent — they never moved in lockstep with absorptions, so they were d... L175: - **Evolution**: this skill grows by absorbing techniques from upstream skills. Never copy blindly — run the eval corpus first, then cherry-pick into the relevant reference file, t...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L6
scripts/eval.jsView file
matchType = normalized_sha256 matchedPackage = cami-design@0.3.4 matchedPath = scripts/eval.js matchedIdentity = npm:Y2FtaS1kZXNpZ24:0.3.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/eval.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 636b506d114bd817 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = cami-design@0.3.4 matchedPath = scripts/eval.js matchedIdentity = npm:Y2FtaS1kZXNpZ24:0.3.4 similarity = 1.000 shingleOverlap = 3 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/eval.jsView on unpkg

Findings

1 Critical3 High4 Medium3 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/eval.js
HighKnown Malware Source Fingerprint Signaturescripts/eval.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem