AI Security Review
scanned 21h ago · by lpm-firewall-aiInstall-time lifecycle mutates AI-agent control surfaces by linking/copying package-supplied skills, output styles, and agent prompts into user IDE/agent directories. This occurs automatically on npm install unless environment opt-outs are set.
Decision evidence
public snapshot- package.json defines postinstall: node ./scripts/install-skills.mjs
- scripts/install-skills.mjs postinstall symlinks bundled skills into ~/.claude, ~/.codex, ~/.cursor, ~/.trae, ~/.qoder, ~/.hermes, ~/.openclaw paths
- scripts/install-skills.mjs copies bundled agents/*.md into ~/.claude/agents with .peaks-managed markers
- scripts/install-skills.mjs creates/updates ~/.peaks/config.json during install
- scripts/install-skills.mjs can spawnSync('peaks', ['upgrade', ...]) during postinstall when 1.x project state is detected
- agents/karpathy-reviewer.md is a package-supplied sub-agent prompt installed into Claude's agent loader directory
- No remote exfiltration endpoint or credential harvesting found in inspected hot paths
- Writes use marker/hash checks and skip user-authored files in several cases
- Most child_process use is package-aligned CLI orchestration, not arbitrary shell input
- Network strings found were repository/docs/local proxy references, not active install-time exfiltration
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
dist/src/shared/process.jsView on unpkg · L1Package source references shell execution.
dist/src/services/upgrade/upgrade-service.jsView on unpkg · L151Package source references dynamic require/import behavior.
dist/src/cli/commands/loop-eval-commands.jsView on unpkg · L478Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/install-skills.mjsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/src/cli/commands/playwright-commands.jsView on unpkg · L27Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/src/cli/commands/playwright-commands.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/src/services/code-review/ocr-service.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/src/services/artifacts/artifact-service.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/src/services/workspace/migrate-service.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/src/cli/commands/test-commands.jsView on unpkg