AI Security Review
scanned 1d ago · by lpm-firewall-aiThe package mutates AI-agent control surfaces during npm lifecycle installation. The behavior is disclosed in docs and aligned with the package's AI workflow-tool purpose, but it is still unconsented install-time agent/skill deployment across user home IDE directories.
Decision evidence
public snapshot- package.json postinstall runs scripts/install-skills.mjs on install
- scripts/install-skills.mjs installs package-supplied skills/output-styles/agents into ~/.claude, ~/.codex, ~/.cursor, ~/.trae, ~/.qoder, etc.
- scripts/install-skills.mjs has explicit policy goal: npm install -g should symlink skills to every supported AI IDE
- agents/karpathy-reviewer.md says postinstall copies it to ~/.claude/agents/karpathy-reviewer.md on every install
- Bundled skills contain agent workflow instructions that change AI assistant behavior, not just passive library data
- Install script uses marker files, symlink/copy checks, path validation, and atomic writes
- No credential exfiltration or remote payload download found in inspected install script
- Network URLs observed are repository/readme/registry/localhost documentation links, not exfiltration endpoints
- Child_process usage in dist appears tied to user-invoked CLI/audit/git workflows
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
dist/src/shared/process.jsView on unpkg · L1Package source references shell execution.
dist/src/services/upgrade/upgrade-service.jsView on unpkg · L151Package source references dynamic require/import behavior.
dist/src/cli/commands/loop-eval-commands.jsView on unpkg · L478Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/install-skills.mjsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/src/cli/commands/playwright-commands.jsView on unpkg · L27