AI Security Review
scanned 16h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Install-time behavior seeds bundled AI Flow knowledge files into a first-party $HOME/.ai-flow namespace. Agent skill installation into global agent directories is present but requires an explicit CLI command, not postinstall.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; explicit ai-flow-skills install for agent skills
Impact
Warn-level lifecycle risk from automatic home-directory AI helper data writes; no confirmed malicious control hijack or exfiltration.
Mechanism
first-party agent knowledge seeding and user-invoked skill installation
Policy narrative
The package has a postinstall hook, but inspection shows it only seeds bundled documentation and solution files under $HOME/.ai-flow. Broader agent skill installation is implemented through explicit CLI commands using npx skills add, so there is agent-extension lifecycle risk but not unconsented foreign AI-agent control-surface hijacking at install time.
Rationale
Because lifecycle code writes bundled AI-assistant support data into a package-owned home namespace, this fits warn-level agent extension lifecycle risk. No concrete malicious behavior, credential access, exfiltration, persistence, or unconsented writes to foreign agent control surfaces were found.
Evidence
package.jsonscripts/postinstall.shscripts/install.shscripts/ai-flow-skills-cli.shdist/claude-code/ai-flow/SKILL.md$HOME/.ai-flow/knowledge$HOME/.ai-flow/flow-solutionsagent global skills directory via npx skills add when user invokes install
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: bash scripts/postinstall.sh
- scripts/postinstall.sh automatically creates and copies package docs into $HOME/.ai-flow/knowledge and $HOME/.ai-flow/flow-solutions
- scripts/ai-flow-skills-cli.sh user-invoked install runs npx skills add --global for agent skills
Evidence against
- postinstall does not write .claude, Cursor, MCP, shell startup, VCS hooks, or autostart files
- postinstall only copies bundled dist/user-data files and skips if sources or $HOME/.ai-flow are unavailable
- No credential harvesting, env scraping, remote code fetch, eval, or background persistence found
- npm view version check is only in user-invoked ai-flow-skills check
Behavioral surface
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bash scripts/postinstall.sh
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bash scripts/postinstall.sh
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgscripts/install.shView file
•path = scripts/install.sh
kind = build_helper
sizeBytes = 3815
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/install.shView on unpkgFindings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperscripts/install.sh
LowScripts Present