registry  /  pitch-skills  /  1.4.0

pitch-skills@1.4.0

Agent skills for founding pitches: Priestley CAPSTONE enrollment and investor diligence. Works with Cursor, Claude Code, Codex, and ChatGPT/VS Code Agent.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package triggers an unconsented postinstall mutation of agent control surfaces in the consuming project. It replaces package-provided skill directories across multiple AI-agent platforms and then launches a broad skills sync.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
`npm install pitch-skills` in a consumer project
Impact
Project-local Cursor, Claude, Codex, and universal agent instructions are deleted/replaced without an explicit user command.
Mechanism
postinstall copies skills into foreign agent directories and runs broad npx sync
Policy narrative
At npm postinstall, the package determines the consumer project root, removes existing per-skill directories, and copies its instruction files into universal, Cursor, Claude, and Codex skill locations. It also invokes `npx skills experimental_sync` with `-a '*'`. This is unconsented lifecycle-time mutation of broad, foreign AI-agent control surfaces; its benign-looking pitch content does not remove the install-time control-hijack behavior.
Rationale
Source inspection confirms a concrete postinstall chain that overwrites multiple consumer-project AI-agent instruction locations and runs a broad sync command. This meets the blocking policy for unconsented lifecycle mutation of foreign/broad AI-agent control surfaces.
Evidence
package.jsonscripts/install.jsscripts/mirror-agents.js.cursor-plugin/plugin.json.claude-plugin/plugin.jsonskills/pitch-capstone/SKILL.md<projectRoot>/package.json<projectRoot>/.agents/skills/pitch-capstone<projectRoot>/.agents/skills/pitch-diligence<projectRoot>/.cursor/skills/pitch-capstone<projectRoot>/.claude/skills/pitch-capstone<projectRoot>/.codex/skills/pitch-capstone

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `scripts/install.js` on `postinstall`.
  • `scripts/install.js` locates the consuming project via `INIT_CWD`/cwd.
  • Postinstall deletes and replaces four project agent-skill paths.
  • It writes `.agents`, `.cursor`, `.claude`, and `.codex` control surfaces.
  • It invokes `npx skills experimental_sync -y -a '*'` during installation.
Evidence against
  • Skill contents are pitch and investor-diligence guidance, not credential collection.
  • No hard-coded exfiltration endpoint, secret harvesting, eval, or payload loader found.
  • Plugin manifests only declare the package's `skills` directory.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 5.60 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
7Install-time AI-agent control hijack evidence: L7: * .cursor/skills/ — Cursor L8: * .claude/skills/ — Claude Code L9: * .codex/skills/ — Codex CLI (alt path) L10: * ... L24: '.cursor/skills', L25: '.claude/skills', L26: '.codex/skills', L27: ] ... L82: function copyDir(src, dest) { L83: fs.mkdirSync(dest, { recursive: true }) L84: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L87: if (entry.isDirectory()) copyDir(from, to) Payload evidence from skills/pitch-capstone/SKILL.md: L9: stress-tests, and killer questions — only after the CAPSTONE spine exists. L10: metadata: L11: short-description: CAPSTONE pitch — sharpen Clarity through Essence ... L21: L22: Canonical method: **CAPSTONE** (Daniel Priestley). Source notes: [references/priestley-capstone.md](references/priestley-capstone.md) · [The CAPSTONE Pitch structure](https://www.y... L23:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L7
16const path = require('path') L17: const { spawnSync } = require('child_process') L18:
High
Child Process

Package source references child process execution.

scripts/install.jsView on unpkg · L16
11* Usage: L12: * npm install pitch-skills && npx pitch-skills L13: */ ... L16: const path = require('path') L17: const { spawnSync } = require('child_process') L18:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/install.jsView on unpkg · L11

Findings

1 Critical3 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/install.js
HighRuntime Package Installscripts/install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem