registry  /  canonical-cli-skill  /  0.1.3

canonical-cli-skill@0.1.3

Cross-agent CLI review skill installer for Copilot, Pi, Claude Code, and OpenCode.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package automatically installs package-owned AI-agent skill files during npm postinstall. This mutates the consumer repository but is bounded to its documented CLI review skill payload and detected/selected adapters.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or npx/package install running postinstall
Impact
Unconsented agent extension setup in the target repository; no confirmed exfiltration or remote code execution.
Mechanism
postinstall file copy into repo skill/agent configuration paths
Rationale
This is not clean because npm postinstall performs automatic agent-extension setup in a consumer repo, but the files are package-owned, documented, bounded, and lack exfiltration or stealth execution. Under the install control-surface policy this is a warning-level lifecycle risk, not a publish-blocking hijack.
Evidence
package.jsonscripts/cli.jsREADME.mdcli-skill/SKILL.mdcli-skill/stubs/entrypoints/github-skill/SKILL.mdcli-skill/stubs/entrypoints/pi-skill/SKILL.mdcli-skill/stubs/agents/claude-code/commands.yamlcli-skill/stubs/agents/opencode/commands.jsoncli-skill/**scripts/calculate_cli_score.py.cli-skill-install-state.json.github/skills/cli-skill/SKILL.md.pi/skills/cli-skill/SKILL.md.claude/commands/cli-skill.yaml.opencode/commands/cli-skill.json

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/cli.js install --postinstall
  • scripts/cli.js resolves target to INIT_CWD/cwd git root and writes files there
  • scripts/cli.js copies cli-skill tree, scripts/calculate_cli_score.py, and detected agent adapters under .github/.pi/.claude/.opencode
  • Agent selection can be forced by CLI_SKILL_AGENTS and force overwrite by CLI_SKILL_FORCE
Evidence against
  • No fetch/http client, curl/wget, or network execution in scripts/cli.js
  • Only child_process use is git rev-parse --show-toplevel
  • Overwrite logic skips unmanaged existing files unless --force is set
  • Payload files are CLI review skill docs/config, not credential harvesting or remote payload loaders
  • README documents npm installer purpose and target behavior
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 13.3 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/cli.js install --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/cli.js install --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/cli.jsView file
1Install-time AI-agent control hijack evidence: L46: paths: [ L47: "CLAUDE.md", L48: ".claude", L49: ".claude/commands", L50: ], ... L55: "opencode.json", L56: ".opencode", L57: ".opencode/commands", L58: ], ... L92: const reasons = {}; L93: const hintFiles = ["AGENTS.md"]; L94: Payload evidence from cli-[redacted].md: L1: --- L2: name: cli-skill
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/cli.jsView on unpkg · L1
scripts/calculate_cli_score.pyView file
path = scripts/calculate_cli_score.py kind = build_helper sizeBytes = 3188 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/calculate_cli_score.pyView on unpkg

Findings

1 Critical1 High4 Medium2 Low
CriticalAi Agent Control Hijackscripts/cli.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperscripts/calculate_cli_score.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem