registry  /  perfetto-analyzer  /  1.0.3

perfetto-analyzer@1.0.3

AI skill for Android performance analysis using Perfetto — works with Claude Code, Cursor, GitHub Copilot, Codex, Antigravity and Devin

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package uses npm postinstall to install an AI-agent skill into multiple unrelated assistant configuration directories under the user's home directory. This is an unconsented broad AI-agent control-surface mutation at install time.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of perfetto-analyzer@1.0.3
Impact
AI assistants may load package-supplied instructions/tools without explicit user opt-in after installation.
Mechanism
postinstall copies packaged skill files into foreign AI-agent skill directories
Policy narrative
On installation, npm runs package.json postinstall, which invokes bin/cli.js install --postinstall. The CLI iterates over Claude Code, GitHub Copilot, Cursor, Antigravity, Codex, and Devin skill directories in the user's home directory and recursively copies the package's skill folder into each one. This can alter how multiple AI agents behave without a separate explicit setup command from the user.
Rationale
Source inspection confirms a concrete policy-blocking behavior: install-time mutation of broad, foreign AI-agent control surfaces. The absence of network exfiltration or obfuscation lowers the scope but does not make postinstall agent-control installation acceptable.
Evidence
package.jsonbin/cli.jsskill/SKILL.mdREADME.mdskill/~/.claude/skills/perfetto-analyzer~/.github/copilot/skills/perfetto-analyzer~/.cursor/skills/perfetto-analyzer~/.antigravity/skills/perfetto-analyzer~/.codex/skills/perfetto-analyzer~/.devin/skills/perfetto-analyzer

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/cli.js install --postinstall.
  • bin/cli.js postinstall copies the packaged skill into six home-directory AI-agent skill directories including ~/.claude/skills, ~/.codex/skills, ~/.cursor/skills, ~/.devin/skills.
  • bin/cli.js performs broad unconsented mutation of foreign agent control surfaces during npm install.
Evidence against
  • No network code or endpoints found in inspected source beyond documentation links.
  • No credential harvesting, obfuscation, eval/vm/Function, dynamic require, or child_process use found in bin/cli.js.
  • README documents the automatic skill installation behavior; payload is a local Perfetto analysis skill, not a remote download.
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.13 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/cli.js install --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/cli.js install --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cli.jsView file
10Install-time AI-agent control hijack evidence: L10: const AGENTS = [ L11: { name: "Claude Code", dir: path.join(os.homedir(), ".claude", "skills") }, L12: { name: "GitHub Copilot", dir: path.join(os.homedir(), ".github", "copilot", "skills") }, ... L14: { name: "Antigravity", dir: path.join(os.homedir(), ".antigravity", "skills") }, L15: { name: "Codex", dir: path.join(os.homedir(), ".codex", "skills") }, L16: { name: "Devin", dir: path.join(os.homedir(), ".devin", "skills") }, ... L19: function copyDir(src, dest) { L20: fs.mkdirSync(dest, { recursive: true }); L21: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L26: } else { L27: fs.copyFileSync(srcPath, destPath); L28: } Payload evidence from skill/SKILL.md: L143: L144: O relatório vai para stdout. Apresente ao usuário formatado como markdown. L145: ... L153: # Relatório de Performance — <package> L154: **Dispositivo:** <device> | **Data:** <data> | **Duração:** <Xs> | **Tipo:** <tipo> L155:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/cli.jsView on unpkg · L10
skill/scripts/parse_perfetto_pb.pyView file
path = skill/scripts/parse_perfetto_pb.py kind = build_helper sizeBytes = 16663 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/scripts/parse_perfetto_pb.pyView on unpkg

Findings

1 Critical1 High3 Medium2 Low
CriticalAi Agent Control Hijackbin/cli.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperskill/scripts/parse_perfetto_pb.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem