AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package has an install-time hook that seeds package-owned AI Flow knowledge files under the user's home directory. It does not automatically mutate Claude/Cursor agent skill directories during postinstall; that occurs only via explicit CLI install.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user-invoked ai-flow-skills install or copy-to runs broader setup
Impact
Lifecycle writes user-level package data; explicit commands can install bundled skills into agent-managed locations
Mechanism
first-party AI Flow skill/knowledge file seeding
Rationale
This is a package-aligned AI Flow skills distribution with a real lifecycle write to user home, but no concrete malicious chain or unconsented broad agent control-surface mutation was found. The residual risk is first-party agent extension lifecycle/setup behavior, so warn rather than block.
Evidence
package.jsonscripts/postinstall.shscripts/install.shscripts/ai-flow-skills-cli.shscripts/build.shREADME.mddist/claude-code/ai-flow/SKILL.md$HOME/.ai-flow/knowledge$HOME/.ai-flow/flow-solutionsdist/user-data/knowledgedist/user-data/flow-solutionsdist/claude-codetarget directory passed to copy-to
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: bash scripts/postinstall.sh
- scripts/postinstall.sh creates and writes $HOME/.ai-flow/knowledge and $HOME/.ai-flow/flow-solutions during npm install
- scripts/ai-flow-skills-cli.sh install explicitly runs npx skills add to install agent skills globally
- scripts/ai-flow-skills-cli.sh check invokes npm view for version lookup
Evidence against
- postinstall only copies bundled dist/user-data files and strips .DS_Store; no credential reads or exfiltration found
- agent skill installation is behind explicit ai-flow-skills install command, not postinstall
- No curl/wget or arbitrary remote payload execution found in lifecycle scripts
- No eval/vm/Function/native binary loading found
- README documents the postinstall ~/.ai-flow data seeding and explicit skill install flow
- Bundled SKILL.md files are domain documentation for AI Flow workflows, with user-confirmation guardrails
Behavioral surface
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bash scripts/postinstall.sh
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bash scripts/postinstall.sh
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgscripts/install.shView file
•path = scripts/install.sh
kind = build_helper
sizeBytes = 3815
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/install.shView on unpkgFindings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperscripts/install.sh
LowScripts Present