registry  /  perfetto-analyzer  /  1.0.1

perfetto-analyzer@1.0.1

AI skill for Android performance analysis using Perfetto — works with Claude Code, Cursor, GitHub Copilot, Codex, Antigravity and Devin

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates broad AI-agent skill directories during npm postinstall. The shipped skill appears domain-aligned, but activation is unconsented at install time across several foreign agent control surfaces.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / global install postinstall
Impact
Installs new agent instructions/tools without explicit user command, potentially changing future AI assistant behavior.
Mechanism
silent recursive copy of package-supplied skill into AI-agent skill folders
Policy narrative
On install, npm runs package.json postinstall, which invokes bin/cli.js install --postinstall. That path recursively copies the bundled skill directory into six AI-agent skill locations under the user's home directory, silently enabling package-supplied agent instructions for future assistant sessions.
Rationale
Source inspection confirms unconsented postinstall mutation of broad third-party AI-agent control surfaces, which meets the block policy even though the bundled Perfetto skill itself appears package-aligned and no exfiltration was found. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonbin/cli.jsskill/SKILL.mdskill/scripts/collect_trace.pyskill/scripts/parse_perfetto_pb.pyskill/scripts/analyze_metrics.pyskill/scripts/generate_report.pyskill/~/.claude/skills/perfetto-analyzer~/.github/copilot/skills/perfetto-analyzer~/.cursor/skills/perfetto-analyzer~/.antigravity/skills/perfetto-analyzer~/.codex/skills/perfetto-analyzer~/.devin/skills/perfetto-analyzer

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/cli.js install --postinstall
  • bin/cli.js install() copies bundled skill/ into multiple home-directory AI agent skill folders
  • Targets broad/foreign control surfaces: ~/.claude, ~/.github/copilot, ~/.cursor, ~/.antigravity, ~/.codex, ~/.devin
  • Postinstall path runs silently because --postinstall sets silent mode
Evidence against
  • No network request code found in bin/cli.js or shipped Python scripts
  • Bundled skill content is aligned with Android Perfetto analysis
  • Python scripts are user-invoked helpers for adb/perfetto trace collection and local JSON/report generation
  • No credential/env harvesting or remote payload download observed
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.13 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/cli.js install --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/cli.js install --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cli.jsView file
10Install-time AI-agent control hijack evidence: L10: const AGENTS = [ L11: { name: "Claude Code", dir: path.join(os.homedir(), ".claude", "skills") }, L12: { name: "GitHub Copilot", dir: path.join(os.homedir(), ".github", "copilot", "skills") }, ... L14: { name: "Antigravity", dir: path.join(os.homedir(), ".antigravity", "skills") }, L15: { name: "Codex", dir: path.join(os.homedir(), ".codex", "skills") }, L16: { name: "Devin", dir: path.join(os.homedir(), ".devin", "skills") }, ... L19: function copyDir(src, dest) { L20: fs.mkdirSync(dest, { recursive: true }); L21: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L26: } else { L27: fs.copyFileSync(srcPath, destPath); L28: } Payload evidence from skill/SKILL.md: L143: L144: O relatório vai para stdout. Apresente ao usuário formatado como markdown. L145: ... L153: # Relatório de Performance — <package> L154: **Dispositivo:** <device> | **Data:** <data> | **Duração:** <Xs> | **Tipo:** <tipo> L155:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/cli.jsView on unpkg · L10
skill/scripts/parse_perfetto_pb.pyView file
path = skill/scripts/parse_perfetto_pb.py kind = build_helper sizeBytes = 16431 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/scripts/parse_perfetto_pb.pyView on unpkg

Findings

1 Critical1 High3 Medium2 Low
CriticalAi Agent Control Hijackbin/cli.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperskill/scripts/parse_perfetto_pb.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem