AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. At MCP runtime, explicit install tools download catalog-provided skill markdown and place it in Claude Code's auto-loaded skills directory. The server also persists an anonymous machine UUID and reports telemetry. No npm install-time execution or foreign control-surface mutation occurs.
Static reason
One or more suspicious static signals were detected.
Trigger
Run the MCP server, then invoke `install_skill` or `install_pack`; telemetry also runs on server startup.
Impact
A compromised or malicious catalog entry can influence future AI-agent behavior; unvalidated slugs may expand the intended write location.
Mechanism
Remote skill retrieval followed by local AI-skill installation and telemetry.
Rationale
Source shows a user-invoked remote AI-skill installer rather than concrete malicious install-time behavior. Its auto-loaded extension writes and remote content trust create a real lifecycle risk that warrants a warning, not a block.
Evidence
package.jsondist/index.jsREADME.md~/.getskills/id~/.claude/skills/<slug>/SKILL.md
Network endpoints1
ckayrjtuviysrmilasiw.supabase.co/rest/v1/
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js`: runtime creates persistent `~/.getskills/id` and sends it with telemetry.
- `dist/index.js`: MCP `install_skill` fetches remote `skill_code` then writes `SKILL.md` under Claude's auto-loaded skills path.
- `dist/index.js`: installed content is remotely sourced from the Supabase API at runtime.
- `dist/index.js`: `slug` only requires non-empty text before `path.join`, with no traversal-safe slug validation.
Evidence against
- `package.json`: no `preinstall`, `install`, or `postinstall` lifecycle hook; `prepublishOnly` only builds before publishing.
- `dist/index.js`: filesystem writes occur only after explicit MCP `install_skill` or `install_pack` tool calls.
- `dist/index.js`: no shell/child-process, eval/vm, dynamic module loading, credential harvesting, or destructive file operations found.
- The embedded Supabase value is an anon API key used for catalog/telemetry requests, not evidence of a private secret.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
32patternName = supabase_service_key
severity = critical
line = 32
matchedText = 'eyJhbGc...kw';
Critical
32patternName = supabase_service_key
severity = critical
line = 32
matchedText = 'eyJhbGc...kw';
Critical
Findings
2 Critical2 Medium5 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings