registry  /  peaks-loop  /  4.0.0-beta.14

peaks-loop@4.0.0-beta.14

Loop Engineering CLI — workflow primitive / loop guards / evaluators / slice orchestration

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package triggers unconsented mutation of broad, foreign AI-agent control surfaces. It deploys package-controlled skills, prompts, and styles across multiple agent platforms and modifies user configuration.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm lifecycle `postinstall` during package installation
Impact
Package-controlled instructions become discoverable by multiple local AI-agent runtimes without an explicit setup command.
Mechanism
cross-platform AI-agent skill and prompt deployment via symlinks and file writes
Policy narrative
On installation, `postinstall` runs `scripts/install-skills.mjs`. The script iterates its configured AI-agent profiles and installs package-owned skills into agent discovery directories, including Codex, Claude, Cursor, Trae, Qoder, and others; it also installs agent prompts and output styles, and creates user configuration. These are automatic writes to broad foreign agent control surfaces, not an explicit user-invoked setup flow.
Rationale
Source inspection confirms a concrete npm postinstall chain that deploys package-controlled AI-agent instructions across multiple unrelated agent homes. Under the firewall policy, this is an unconsented broad AI-agent control-surface mutation and requires blocking.
Evidence
package.jsonscripts/install-skills.mjsagents/karpathy-reviewer.mdskills/peaks-code/SKILL.md.claude-plugin/marketplace.jsonskills/agents/output-styles/~/.claude/skills~/.codex/skills~/.cursor/skills~/.claude/agents~/.peaks/config.json

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `scripts/install-skills.mjs` as `postinstall`.
  • `scripts/install-skills.mjs` fan-outs bundled skills to every configured AI-agent home directory, including `~/.codex/skills`, `~/.cursor/skills`, and `~/.claude/skills`.
  • The postinstall creates symlinks to package-supplied skill directories and writes `.peaks-managed` markers.
  • The postinstall copies package-supplied agent prompts into agent loader directories and writes output styles.
  • The postinstall creates/updates `~/.peaks/config.json` and can invoke `peaks upgrade --auto` against the install CWD.
Evidence against
  • Install script has opt-out environment variables and symlink/path-integrity checks.
  • No network request or credential-exfiltration behavior was found in the inspected postinstall path.
  • Bundled skill text includes directions not to persist sensitive browser/session data.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 530 file(s), 3.43 MB of source, external domains: api.anthropic.com, api.example.com, api.github.com, api.openai.com, github.com, gitlab.com, reactbits.dev, www.google.com, www.pulsemcp.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/install-skills.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/shared/process.jsView file
1import { execFile } from 'node:child_process'; L2: export async function execCommand(command, args, options) {
High
Child Process

Package source references child process execution.

dist/shared/process.jsView on unpkg · L1
dist/services/upgrade/upgrade-service.jsView file
182// npm install postinstall creates `peaks` → `peaks.sh` on L183: // Windows). cmd.exe (the default Windows shell) cannot run L184: // `.sh` scripts directly, so the shim fails with "unknown
High
Shell

Package source references shell execution.

dist/services/upgrade/upgrade-service.jsView on unpkg · L182
dist/cli/commands/loop-eval-commands.jsView file
478// eslint-disable-next-line @typescript-eslint/no-var-requires L479: const fs = require('node:fs'); L480: let entries;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/commands/loop-eval-commands.jsView on unpkg · L478
dist/services/code/job-shape-decision.jsView file
92try { L93: parsed = JSON.parse(raw); L94: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/services/code/job-shape-decision.jsView on unpkg · L92
scripts/install-skills.mjsView file
1Install-time AI-agent control hijack evidence: L1: #!/usr/bin/env node L2: import { closeSync, constants, existsSync, fchmodSync, fstatSync, lstatSync, mkdirSync, openSync, readFileSync, readlinkSync, realpathSync, readdirSync, renameSync, symlinkSync, un... L3: import { spawnSync } from 'node:child_process'; ... L285: fchmodSync(fd, 0o600); L286: writeFileSync(fd, content, 'utf8'); L287: const writeFd = fd; ... L314: fchmodSync(fd, 0o600); L315: writeFileSync(fd, content, 'utf8'); L316: const writeFd = fd; ... L366: * cannot import the TS service at runtime. The dispatch: L367: * - Look for `.claude`, `.trae`, `.codex`, `.cursor`, `.qoder`, L368: * `.tongyi-lingma` in the project root in that insertion order Payload evidence from schemas/mcp-install-spec.schema.json: L1: { L2: "$schema": "https://json-schema.org/draft/2020-12/schema", L3: "title": "Peaks MCP Install Spec", ... L25: "items": { "type": "string" }, L26: "description": "Required env var names. Values are sourced from process.env at runtime and written as ${VAR} placeholders into settings.json." L27: }
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skills.mjsView on unpkg · L1
dist/cli/commands/playwright-commands.jsView file
27* The CLI does NOT bundle `playwright-mcp`; it shells out to L28: * `npx playwright-mcp@latest` (G22 / NG3). peaks-loop is the lifecycle L29: * orchestrator, not the install medium. ... L31: import { createHash } from 'node:crypto'; L32: import { spawn } from 'node:child_process'; L33: import { existsSync, mkdirSync, readFileSync, writeFileSync, readdirSync, unlinkSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/commands/playwright-commands.jsView on unpkg · L27
matchType = normalized_sha256 matchedPackage = peaks-loop@4.0.0-beta.10 matchedPath = dist/cli/commands/playwright-commands.js matchedIdentity = npm:cGVha3MtbG9vcA:4.0.0-beta.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli/commands/playwright-commands.jsView on unpkg
dist/services/code-review/ocr-service.jsView file
matchType = normalized_sha256 matchedPackage = peaks-loop@4.0.0-beta.10 matchedPath = dist/services/code-review/ocr-service.js matchedIdentity = npm:cGVha3MtbG9vcA:4.0.0-beta.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/code-review/ocr-service.jsView on unpkg
dist/services/artifacts/artifact-service.jsView file
matchType = normalized_sha256 matchedPackage = peaks-loop@4.0.0-beta.10 matchedPath = [redacted]-service.js matchedIdentity = npm:cGVha3MtbG9vcA:4.0.0-beta.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/artifacts/artifact-service.jsView on unpkg
dist/services/runtime/vendors/codex.jsView file
matchType = normalized_sha256 matchedPackage = peaks-loop@4.0.0-beta.10 matchedPath = [redacted].js matchedIdentity = npm:cGVha3MtbG9vcA:4.0.0-beta.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/runtime/vendors/codex.jsView on unpkg
dist/services/runtime/vendors/copilot.jsView file
matchType = normalized_sha256 matchedPackage = peaks-loop@4.0.0-beta.10 matchedPath = [redacted].js matchedIdentity = npm:cGVha3MtbG9vcA:4.0.0-beta.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/runtime/vendors/copilot.jsView on unpkg

Findings

1 Critical9 High4 Medium7 Low
CriticalAi Agent Control Hijackscripts/install-skills.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/shared/process.js
HighShelldist/services/upgrade/upgrade-service.js
HighRuntime Package Installdist/cli/commands/playwright-commands.js
HighKnown Malware Source Similaritydist/cli/commands/playwright-commands.js
HighKnown Malware Source Similaritydist/services/code-review/ocr-service.js
HighKnown Malware Source Similaritydist/services/artifacts/artifact-service.js
HighKnown Malware Source Similaritydist/services/runtime/vendors/codex.js
HighKnown Malware Source Similaritydist/services/runtime/vendors/copilot.js
MediumDynamic Requiredist/cli/commands/loop-eval-commands.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/services/code/job-shape-decision.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings