AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface was found. The explicit `skills` CLI command can install this package's bundled agent skill into configured personal or project agent-skill directories.
Decision evidence
public snapshot- `utils/skill-installer.js` can copy bundled skills into Codex, Claude, Copilot, and shared agent skill directories.
- `main/manage/commands/SkillsCommand.js` performs those writes when the user explicitly runs the `skills` command; noninteractive flags can select targets.
- `main/i18ntk-translate.js` dynamically requires a user-supplied `--translate-fn` module after path validation.
- `package.json` contains no preinstall, install, postinstall, prepare, or other lifecycle hook.
- `SkillsCommand` prompts for destination selection and confirmation in interactive mode; it installs only package-owned `skills/i18ntk` content.
- `utils/translate/safe-network.js` restricts translation requests to HTTPS allowlisted provider hosts and paths by default.
- Entrypoints invoke CLI behavior only behind `require.main === module`; no import-time payload execution found.
Source & flagged code
2 flagged · loading sourcePackage source references dynamic require/import behavior.
settings/settings-cli.jsView on unpkg · L6This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
main/i18ntk-scanner.jsView on unpkg