registry  /  canonical-cli-skill  /  0.1.2

canonical-cli-skill@0.1.2

Cross-agent CLI review skill installer for Copilot, Pi, Claude Code, and OpenCode.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates repository AI-agent control surfaces at npm postinstall time. The behavior is package-aligned but still automatic lifecycle installation of agent instructions and command routing files.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install/npx that runs package postinstall, or explicit canonical-cli-skill install
Impact
Unconsented repository AI-agent behavior changes; detected agents may receive new commands/instructions without an explicit install command.
Mechanism
postinstall copies skill and agent adapter files into target repository
Policy narrative
On package installation, npm runs the postinstall hook, which invokes scripts/cli.js install --postinstall. That script resolves the caller's project root, copies the bundled cli-skill tree into it, and, when agent markers are detected, drops Copilot, Pi, Claude Code, or OpenCode adapter/control files. This changes AI-agent command surfaces during lifecycle execution rather than only after an explicit runtime command.
Rationale
Static inspection confirms automatic postinstall writes of AI-agent instruction/control files into the consumer repository, which meets the firewall block condition for unconsented lifecycle AI-agent control-surface mutation. The payload content appears mostly benign and package-aligned, but the activation path is install-time mutation of agent controls. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/cli.jscli-skill/SKILL.mdcli-skill/stubs/entrypoints/github-skill/SKILL.mdcli-skill/stubs/entrypoints/pi-skill/SKILL.mdcli-skill/stubs/agents/claude-code/commands.yamlcli-skill/stubs/agents/opencode/commands.jsoncli-skill/commands/install-cli-pr-workflow.mdcli-skill/references/cli-skill-review-pr.ymlcli-skill/<target>/cli-skill/**<target>/.github/skills/cli-skill/SKILL.md<target>/.pi/skills/cli-skill/SKILL.md<target>/.claude/commands/cli-skill.yaml<target>/.opencode/commands/cli-skill.json<target>/.cli-skill-install-state.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/cli.js install --postinstall.
  • scripts/cli.js postinstall resolves INIT_CWD/cwd or git root as target and writes into that project.
  • scripts/cli.js always copies package cli-skill/ into target cli-skill/ during install.
  • scripts/cli.js auto-detects Copilot/Pi/Claude/OpenCode markers and copies adapter files into .github/.pi/.claude/.opencode control paths.
  • Installed skill includes /install-cli-pr-workflow instructions to create .github/workflows/cli-review.yml using secrets.
Evidence against
  • No fetch/http client, outbound network code, or hardcoded exfiltration endpoint in executable JS.
  • child_process use is limited to git rev-parse --show-toplevel.
  • Existing unmanaged files are skipped unless --force; managed updates use hashes/state.
  • No credential harvesting found in scripts/cli.js; secret strings are documentation/workflow references.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 12.4 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/cli.js install --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/cli.js install --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/cli.jsView file
1Install-time AI-agent control hijack evidence: L46: paths: [ L47: "CLAUDE.md", L48: ".claude", L49: ".claude/commands", L50: ], ... L55: "opencode.json", L56: ".opencode", L57: ".opencode/commands", L58: ], ... L92: const reasons = {}; L93: const hintFiles = ["AGENTS.md"]; L94: Payload evidence from cli-[redacted].md: L1: --- L2: name: cli-skill
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/cli.jsView on unpkg · L1

Findings

1 Critical1 High3 Medium2 Low
CriticalAi Agent Control Hijackscripts/cli.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem