AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a scaffolder whose risky primitives are aligned with creating/updating a project template and optional documented skill installation.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-obsidian-arrow, then optionally runs pnpm install or pnpm skills:install in the generated project.
Impact
Creates or refreshes project template files; optional skill installer may install agent skills from the package-aligned GitHub repo.
Mechanism
Scaffold file copy/update plus documented optional npx skills install helper
Rationale
Static inspection shows a normal create-package CLI with no package-level lifecycle execution and no hidden credential theft, persistence, or exfiltration. The scanner hits are explained by documented user-facing scaffolding/update behavior and a generated-project skill installer that is opt-outable and inert in non-interactive postinstall contexts.
Evidence
package.jsonindex.mjstemplate/package.jsontemplate/scripts/install-skills.mjstemplate/scripts/pull-app-css.mjstemplate/AGENTS.mdtemplate/CLAUDE.mdtarget project: template files copied from template/target project/package.jsontarget project/.gitignoretarget project/.gittarget project/public/app.css
Network endpoints4
github.com/kylebrodeur/obsidian-arrow-sandboxgithub.com/vercel-labs/skillsobsidian.md/arrow-js.com/
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- template/package.json adds postinstall in generated projects, invoking template/scripts/install-skills.mjs.
- template/scripts/install-skills.mjs can run npx --yes skills add/update from kylebrodeur/obsidian-arrow-sandbox when interactive/forced/user-invoked.
- index.mjs writes scaffold/update files and runs git init when the bin is invoked.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks for this package itself.
- index.mjs is a create-project CLI: copies vendored template, renames package.json, and only runs git init in the target dir.
- template/scripts/install-skills.mjs is documented, opt-outable, no-op in CI/non-TTY unless forced, and prints manual install instructions.
- No credential harvesting, destructive commands, obfuscated code, eval/vm/Function, native binary loading, or exfiltration endpoints found.
- Network-related URLs are project/docs/repository links or the package-aligned npx skills source, not hidden exfiltration.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
Source & flagged code
2 flagged · loading sourcetemplate/scripts/install-skills.mjsView file
35*/
L36: import { spawnSync } from "node:child_process";
L37: import fs from "node:fs";
High
Child Process
Package source references child process execution.
template/scripts/install-skills.mjsView on unpkg · L35102console.log(`[skills] ${pretty}${where}`);
L103: const result = spawnSync("npx", ["--yes", "skills", ...args], {
L104: cwd,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
template/scripts/install-skills.mjsView on unpkg · L102Findings
3 High1 Medium1 Low
HighChild Processtemplate/scripts/install-skills.mjs
HighShell
HighRuntime Package Installtemplate/scripts/install-skills.mjs
MediumEnvironment Vars
LowFilesystem