registry  /  openskillmd  /  0.6.4

openskillmd@0.6.4

The OpenSkill CLI (osm) — search, add, score, and explore AI agent capabilities (skills, blueprints, MCP servers, plugins) from your terminal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `osm add`, `osm plugin install`, or `osm router install`.
Impact
May add skills/plugins or router instructions to local project/user agent environments; telemetry posts install metadata unless opted out.
Mechanism
explicit CLI agent skill/plugin installation and package-aligned API telemetry
Rationale
This is not malicious because there is no unconsented install-time mutation, payload execution, credential theft, or stealth persistence. It still warrants a warning because explicit commands can modify AI-agent capability/control surfaces.
Evidence
package.jsondist/index.jsdist/plugin-F3YZSTVP.jsdist/add-SLI6RQWN.jsdist/router-OL6DZN5S.jsdist/chunk-VRPJTK2B.js~/.openskill/config.json.skills/openskill-router.md.skills/<slug>.md.blueprints/<slug>.md
Network endpoints3
openskill.md/apiopenskill.md/docs/telemetryOPENSKILL_API_URL

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/plugin-F3YZSTVP.js explicit `osm plugin install` can spawn `claude` or `codex` to add plugin marketplaces/install plugins.
  • dist/add-SLI6RQWN.js explicit `osm add` spawns bundled `skills` installer for agent skill installation.
  • dist/router-OL6DZN5S.js explicit router install fetches SKILL.md and writes `.skills/openskill-router.md`.
  • dist/chunk-VRPJTK2B.js sends opt-out telemetry/install events to the OpenSkill API.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build hook.
  • dist/index.js only wires commander CLI commands; dangerous actions require explicit CLI subcommands.
  • Scanner remote execute hint maps to bundled Zod `Function`/JIT code, not a fetched payload.
  • Network endpoints are package-aligned registry/API calls under openskill.md or OPENSKILL_API_URL override.
  • No credential harvesting, destructive behavior, persistence, or stealth import-time execution found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 1.17 MB of source, external domains: github.com, json-schema.org, openskill.md, staging.openskill.md

Source & flagged code

5 flagged · loading source
dist/plugin-F3YZSTVP.jsView file
2import { createRequire as __createRequire } from "node:module"; const require = __createRequire(import.meta.url); L3: import{b as $,c as C,l as k}from"./chunk-C4S3KDSI.js";import"./chunk-VRPJTK2B.js";import{g as f,h as S,k as R,l as u,t as x,u as d,w as P}from"./chunk-4WV7FA5L.js";import{spawn as ... L4: `),process.exit(2)}e.json?P({ok:!1,slug:n,error:{code:"PLUGIN_LOOKUP_FAILED",message:t instanceof Error?t.message:"Unknown error"}}):process.stderr.write(d(`Couldn't reach the regi...
High
Child Process

Package source references child process execution.

dist/plugin-F3YZSTVP.jsView on unpkg · L2
dist/chunk-VRPJTK2B.jsView file
2import { createRequire as __createRequire } from "node:module"; const require = __createRequire(import.meta.url); L3: import{c as ee,u as Uu}from"./chunk-4WV7FA5L.js";var Ou="0.6.1";import{randomUUID as Tf}from"crypto";import{chmod as Ef,mkdir as Af,readFile as Zd,writeFile as Lf}from"fs/promises"... L4: `)}var Se=t=>(r,i,o,e)=>{let n=o?{...o,async:!1}:{async:!1},a=r._zod.run({value:i,issues:[]},n);if(a instanceof Promise)throw new W;if(a.issues.length){let c=new(e?.Err??t)(a.issue... L5: `).filter(a=>a),e=Math.min(...o.map(a=>a.length-a.trimStart().length)),n=o.map(a=>a.slice(e)).map(a=>" ".repeat(this.indent*2)+a);for(let a of n)this.content.push(a)}compile(){let ... L6: `))}};var Oi={major:4,minor:4,patch:3};var x=l("$ZodType",(t,r)=>{var i;t??(t={}),t._zod.def=r,t._zod.bag=t._zod.bag||{},t._zod.version=Oi;let o=[...t._zod.def.checks??[]];t._zod.t... L7: if (${P}.issues.length) { ... L66: L67: Set the \`cycles\` parameter to \`"ref"\` to resolve cyclical schemas with defs.`)}for(let a of t.seen.entries()){let c=a[1];if(r===a[0]){n(a);continue}if(t.external){let u=t.exter... L68: `)}async function Ed(t){await Af(Nd,{recursive:!0,mode:448}),await Lf(Nt,JSON.stringify(t,null,2
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/chunk-VRPJTK2B.jsView on unpkg · L2
Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/chunk-VRPJTK2B.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-VRPJTK2B.jsView on unpkg
2import { createRequire as __createRequire } from "node:module"; const require = __createRequire(import.meta.url); L3: import{c as ee,u as Uu}from"./chunk-4WV7FA5L.js";var Ou="0.6.1";import{randomUUID as Tf}from"crypto";import{chmod as Ef,mkdir as Af,readFile as Zd,writeFile as Lf}from"fs/promises"... L4: `)}var Se=t=>(r,i,o,e)=>{let n=o?{...o,async:!1}:{async:!1},a=r._zod.run({value:i,issues:[]},n);if(a instanceof Promise)throw new W;if(a.issues.length){let c=new(e?.Err??t)(a.issue... L5: `).filter(a=>a),e=Math.min(...o.map(a=>a.length-a.trimStart().length)),n=o.map(a=>a.slice(e)).map(a=>" ".repeat(this.indent*2)+a);for(let a of n)this.content.push(a)}compile(){let ... L6: `))}};var Oi={major:4,minor:4,patch:3};var x=l("$ZodType",(t,r)=>{var i;t??(t={}),t._zod.def=r,t._zod.bag=t._zod.bag||{},t._zod.version=Oi;let o=[...t._zod.def.checks??[]];t._zod.t... L7: if (${P}.issues.length) { ... L66: L67: Set the \`cycles\` parameter to \`"ref"\` to resolve cyclical schemas with defs.`)}for(let a of t.seen.entries()){let c=a[1];if(r===a[0]){n(a);continue}if(t.external){let u=t.exter... L68: `)}async function Ed(t){await Af(Nd,{recursive:!0,mode:448}),await Lf(Nt,JSON.stringify(t,null,2
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-VRPJTK2B.jsView on unpkg · L2
dist/index.jsView file
2Cross-file remote execution chain: dist/index.js spawns dist/chunk-VRPJTK2B.js; helper contains network access plus dynamic code execution. L2: import { createRequire as __createRequire } from "node:module"; const require = __createRequire(import.meta.url); L3: import{a as S,d as z,f as Q}from"./chunk-VRPJTK2B.js";import{a as C,b as O,d as ft,f,g as J,j as E,k as A,m as K,o as Y}from"./chunk-4WV7FA5L.js";var b=O($=>{"use strict";var y=cla... L4: `)}displayWidth(t){return X(t).length}styleTitle(t){return t}styleUsage(t){return t.split(" ").map(e=>e==="[options]"?this.styleOptionText(e):e==="[command]"?this.styleSubcommandTe... ... L14: (Did you mean one of ${i.join(", ")}?)`:i.length===1?` L15: (Did you mean ${i[0]}?)`:""}tt.suggestSimilar=yt});var rt=O(L=>{"use strict";var wt=C("events").EventEmitter,N=C("child_process"),g=C("path"),x=C("fs"),m=C("process"),{Argument:xt,... L16: - specify the name in Command constructor or using .name()`);return e=e||{},e.isDefault&&(this._defaultCommandName=t._name),(e.noHelp||e.hidden)&&(t._hidden=!0),this._registerComma...
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L2

Findings

2 Critical3 High3 Medium6 Low
CriticalRemote Asset Decode Executedist/chunk-VRPJTK2B.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-VRPJTK2B.js
HighChild Processdist/plugin-F3YZSTVP.js
HighSandbox Evasion Gated Capabilitydist/chunk-VRPJTK2B.js
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings