registry  /  perfetto-analyzer  /  1.0.4

perfetto-analyzer@1.0.4

AI skill for Android performance analysis using Perfetto — works with Claude Code, Cursor, GitHub Copilot, Codex, Antigravity and Devin

AI Security Review

scanned 7m ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates broad AI-agent control surfaces during npm postinstall by copying its skill into multiple agent directories. The installed skill appears domain-aligned, but the install-time unconsented agent extension deployment is a concrete policy-blocking behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / npm global install running postinstall
Impact
Installs package-supplied instructions and scripts into multiple assistants without explicit user command or consent during npm install.
Mechanism
unprompted recursive copy of package skill files into AI-agent skill directories
Policy narrative
On npm install, package.json runs bin/cli.js install --postinstall. That code silently iterates over Claude Code, GitHub Copilot, Cursor, Antigravity, Codex, and Devin directories and recursively copies the package's skill/ tree into each agent's skills folder, creating directories as needed. This gives the package install step control over multiple AI-agent extension surfaces without an explicit user setup command.
Rationale
Source inspection confirms unconsented postinstall mutation of broad/foreign AI-agent control surfaces, which meets the block policy even though the shipped skill content is mostly package-aligned and no exfiltration was found. The malicious verdict is based on the install-time control-surface write, not scanner labels. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonbin/cli.jsskill/SKILL.mdskill/scripts/collect_trace.pyskill/scripts/parse_perfetto_pb.pyskill/scripts/analyze_metrics.pyskill/scripts/generate_report.py~/.claude/skills/perfetto-analyzer~/.github/copilot/skills/perfetto-analyzer~/.cursor/skills/perfetto-analyzer~/.antigravity/skills/perfetto-analyzer~/.codex/skills/perfetto-analyzer~/.devin/skills/perfetto-analyzer

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/cli.js install --postinstall
  • bin/cli.js postinstall path calls install(true) without prompting
  • bin/cli.js copies package skill/ into six AI-agent skill directories under user home
  • Targets broad/foreign agent control surfaces: .claude, .github/copilot, .cursor, .antigravity, .codex, .devin
Evidence against
  • No network or exfiltration endpoints found in inspected source
  • Skill content is aligned with Android Perfetto analysis
  • Python helpers are user-invoked from the installed skill, not npm install-time
  • No credential/env harvesting, eval/vm/Function, native binary loading, or remote payload fetch found
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.13 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/cli.js install --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/cli.js install --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cli.jsView file
10Install-time AI-agent control hijack evidence: L10: const AGENTS = [ L11: { name: "Claude Code", dir: path.join(os.homedir(), ".claude", "skills") }, L12: { name: "GitHub Copilot", dir: path.join(os.homedir(), ".github", "copilot", "skills") }, ... L14: { name: "Antigravity", dir: path.join(os.homedir(), ".antigravity", "skills") }, L15: { name: "Codex", dir: path.join(os.homedir(), ".codex", "skills") }, L16: { name: "Devin", dir: path.join(os.homedir(), ".devin", "skills") }, ... L19: function copyDir(src, dest) { L20: fs.mkdirSync(dest, { recursive: true }); L21: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L26: } else { L27: fs.copyFileSync(srcPath, destPath); L28: } Payload evidence from skill/SKILL.md: L143: L144: O relatório vai para stdout. Apresente ao usuário formatado como markdown. L145: ... L153: # Relatório de Performance — <package> L154: **Dispositivo:** <device> | **Data:** <data> | **Duração:** <Xs> | **Tipo:** <tipo> L155:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/cli.jsView on unpkg · L10
skill/scripts/parse_perfetto_pb.pyView file
path = skill/scripts/parse_perfetto_pb.py kind = build_helper sizeBytes = 16663 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/scripts/parse_perfetto_pb.pyView on unpkg

Findings

1 Critical1 High3 Medium2 Low
CriticalAi Agent Control Hijackbin/cli.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperskill/scripts/parse_perfetto_pb.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem