registry  /  motion-diagram  /  1.0.3

motion-diagram@1.0.3

Agent-driven animated API/flow diagram renderer (MP4 + carousel) with an MCP server.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates AI-agent MCP and skill configuration during npm postinstall when known agent directories already exist. This is unconsented install-time modification of broad/foreign agent control surfaces.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of motion-diagram@1.0.3 on a machine with detected Cursor, Claude, or Pi config directories
Impact
AI agents may load and run the package's MCP server via npx without explicit user setup.
Mechanism
postinstall MCP server registration and skill copy
Policy narrative
On installation, package.json invokes scripts/install-skill.js with --auto. If Cursor, Claude, or Pi agent config directories exist, the script creates or edits their MCP config to add a motion-diagram server launched as npx -y motion-diagram-mcp, and may copy package skill files into agent skill directories. This occurs during npm postinstall rather than an explicit setup command.
Rationale
Source inspection confirms unconsented npm postinstall mutation of foreign/broad AI-agent control surfaces, which meets the block policy even though the MCP functionality itself appears package-aligned. No additional exfiltration or destructive payload was found.
Evidence
package.jsonscripts/install-skill.jssrc/mcp/server.jssrc/cli/index.js~/.cursor/mcp.json~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%/Claude/claude_desktop_config.json~/.config/Claude/claude_desktop_config.json~/.pi/agent/mcp.json~/.claude/skills/motion-diagram~/.pi/agent/skills/motion-diagram

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/install-skill.js --auto || true
  • scripts/install-skill.js auto-detects Cursor, Claude, and Pi agent config directories
  • scripts/install-skill.js writes mcpServers.motion-diagram into ~/.cursor/mcp.json, Claude config, or ~/.pi/agent/mcp.json
  • scripts/install-skill.js configures agents to run npx -y motion-diagram-mcp
  • scripts/install-skill.js copies package skill files into ~/.claude/skills/motion-diagram or ~/.pi/agent/skills/motion-diagram
Evidence against
  • No credential harvesting or exfiltration found in inspected source
  • No relevant network endpoints beyond registry npx command configuration
  • MCP tools are package-aligned rendering/schema tools
  • CLI reads user-provided scene JSON and writes requested render outputs
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 59.5 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js --auto || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install-skill.js --auto || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install-skill.jsView file
1Install-time AI-agent control hijack evidence: L6: // node scripts/install-skill.js --client cursor # force a specific client L7: import { cpSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; L8: import { homedir, platform } from "node:os"; ... L65: const dir = dirname(path); L66: if (!existsSync(dir)) mkdirSync(dir, { recursive: true }); L67: L68: const cfg = existsSync(path) ? readJson(path) : {}; L69: if (!cfg.mcpServers || typeof cfg.mcpServers !== "object") cfg.mcpServers = {}; L70: L71: const existing = cfg.mcpServers[SERVER_NAME]; L72: if (existing && JSON.stringify(existing) === JSON.stringify(SERVER_ENTRY)) { ... L74: } Payload evidence from skills/motion-diagram/SKILL.md: L1: --- L2: name: motion-diagram
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L1

Findings

1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings