AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The risky primitives are scaffold-aligned: creating project files, initializing git, and optionally installing documented agent skills for generated projects.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-obsidian-arrow bin, then optionally runs pnpm install or skills scripts in the generated project.
Impact
Creates/updates scaffold-managed files and may install documented agent skills when user-interactive or explicitly requested.
Mechanism
project scaffold plus optional skills CLI installation
Rationale
Static inspection shows a normal create-* scaffold package with documented template and optional skill-install behavior, not hidden install-time execution in the published package or credential/data theft. The scanner flags map to package-aligned child_process and environment use in the generated project tooling.
Evidence
package.jsonindex.mjstemplate/package.jsontemplate/scripts/install-skills.mjstemplate/AGENTS.mdtemplate/CLAUDE.mdtemplate/AGENTS.mdCLAUDE.mdscripts/docs/.github/.huskybiome.json.gitignore
Network endpoints4
github.com/kylebrodeur/obsidian-arrow-sandbox#readmegithub.com/kylebrodeur/obsidian-arrow-sandbox/issuesgit+https://github.com/kylebrodeur/obsidian-arrow-sandbox.gitgithub.com/vercel-labs/skills
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- template/package.json defines postinstall running scripts/install-skills.mjs in generated projects.
- template/scripts/install-skills.mjs can spawn npx --yes skills add/update from kylebrodeur/obsidian-arrow-sandbox when interactive or explicitly forced.
- index.mjs scaffold/update writes template AGENTS.md and CLAUDE.md into target project as managed scaffold files.
Evidence against
- package.json has no lifecycle scripts; package execution is via bin index.mjs only.
- index.mjs copies a vendored template, renames package.json, and runs git init; no credential reads or exfiltration.
- install-skills.mjs skips auto-install in CI/non-TTY, supports SKIP_SKILLS_INSTALL=1, and uses visible skills CLI commands.
- No eval/vm/native binary loading or hidden network endpoints found by rg inspection.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
Source & flagged code
2 flagged · loading sourcetemplate/scripts/install-skills.mjsView file
35*/
L36: import { spawnSync } from "node:child_process";
L37: import fs from "node:fs";
High
Child Process
Package source references child process execution.
template/scripts/install-skills.mjsView on unpkg · L35102console.log(`[skills] ${pretty}${where}`);
L103: const result = spawnSync("npx", ["--yes", "skills", ...args], {
L104: cwd,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
template/scripts/install-skills.mjsView on unpkg · L102Findings
3 High1 Medium1 Low
HighChild Processtemplate/scripts/install-skills.mjs
HighShell
HighRuntime Package Installtemplate/scripts/install-skills.mjs
MediumEnvironment Vars
LowFilesystem