registry  /  perfetto-analyzer  /  1.0.0

perfetto-analyzer@1.0.0

AI skill for Android performance analysis using Perfetto — works with Claude Code, Cursor, GitHub Copilot, Codex, Antigravity and Devin

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates broad AI-agent extension directories during npm postinstall by installing a bundled skill. This is an unconsented install-time write to multiple foreign agent control surfaces.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of perfetto-analyzer@1.0.0
Impact
Automatically enables package-supplied instructions/tools in supported AI assistants for the current user
Mechanism
postinstall copies package skill directory into AI-agent skill folders
Policy narrative
On npm install, the postinstall lifecycle runs bin/cli.js with install --postinstall. That code recursively copies the bundled skill into six AI-agent skill directories under the user's home, including Codex, Claude Code, Cursor, Copilot, Antigravity, and Devin, silently during postinstall. No exfiltration or remote execution was found, but the install-time control-surface mutation is broad and unconsented.
Rationale
Source inspection confirms unconsented npm postinstall mutation of multiple foreign/broad AI-agent skill directories, which meets the block policy even though the bundled skill appears package-aligned and lacks network exfiltration. The risk is the lifecycle-driven AI-agent control-surface write, not the Perfetto helper functionality itself.
Evidence
package.jsonbin/cli.jsskill/SKILL.mdskill/scripts/collect_trace.pyskill/scripts/analyze_metrics.pyskill/scripts/generate_report.pyskill/scripts/parse_perfetto_pb.pyskill/~/.claude/skills/perfetto-analyzer~/.github/copilot/skills/perfetto-analyzer~/.cursor/skills/perfetto-analyzer~/.antigravity/skills/perfetto-analyzer~/.codex/skills/perfetto-analyzer~/.devin/skills/perfetto-analyzer

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/cli.js install --postinstall
  • bin/cli.js postinstall path copies bundled skill into multiple AI-agent skill directories under the user's home
  • Targets broad/foreign agent control surfaces: .claude, .github/copilot, .cursor, .antigravity, .codex, .devin
  • Install is silent during postinstall, so the agent extension mutation occurs without explicit user command
Evidence against
  • No network endpoints, fetch/curl/wget/socket use, or exfiltration code found
  • No credential/env harvesting found
  • No eval/vm/Function or dynamic remote payload loading found
  • Bundled skill content is package-aligned Perfetto/Android performance analysis documentation and local helper scripts
  • Python helpers are user-invoked for adb/perfetto trace collection and parsing
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.13 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/cli.js install --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/cli.js install --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cli.jsView file
10Install-time AI-agent control hijack evidence: L10: const AGENTS = [ L11: { name: "Claude Code", dir: path.join(os.homedir(), ".claude", "skills") }, L12: { name: "GitHub Copilot", dir: path.join(os.homedir(), ".github", "copilot", "skills") }, ... L14: { name: "Antigravity", dir: path.join(os.homedir(), ".antigravity", "skills") }, L15: { name: "Codex", dir: path.join(os.homedir(), ".codex", "skills") }, L16: { name: "Devin", dir: path.join(os.homedir(), ".devin", "skills") }, ... L19: function copyDir(src, dest) { L20: fs.mkdirSync(dest, { recursive: true }); L21: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L26: } else { L27: fs.copyFileSync(srcPath, destPath); L28: } Payload evidence from skill/SKILL.md: L143: L144: O relatório vai para stdout. Apresente ao usuário formatado como markdown. L145: ... L153: # Relatório de Performance — <package> L154: **Dispositivo:** <device> | **Data:** <data> | **Duração:** <Xs> | **Tipo:** <tipo> L155:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/cli.jsView on unpkg · L10
skill/scripts/parse_perfetto_pb.pyView file
path = skill/scripts/parse_perfetto_pb.py kind = build_helper sizeBytes = 16431 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/scripts/parse_perfetto_pb.pyView on unpkg

Findings

1 Critical1 High3 Medium2 Low
CriticalAi Agent Control Hijackbin/cli.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperskill/scripts/parse_perfetto_pb.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem