registry  /  portable-agent-layer  /  0.59.0

portable-agent-layer@0.59.0

PAL — Portable Agent Layer: persistent personal context for AI coding assistants

AI Security Review

scanned 3d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
uninstall-only package script
Impact
May modify user-level AI-agent configuration during an explicit uninstall or package-owned setup flow; this is allowed with warning unless stronger malicious behavior is present.
Mechanism
unconsented lifecycle mutation of AI-agent hook/config surfaces
Rationale
Source inspection confirms a lifecycle-triggered broad mutation path across foreign AI-agent configs, which is blockable under the provided install-control-surface policy even though most install behavior is package-aligned and user-invoked. I did not find classic credential theft or exfiltration, but the npm uninstall hook is sufficient for malicious classification here. Product guard normalized uninstall-only AI-agent control-surface mutation to warn-only suspicious because modern npm does not run uninstall lifecycle scripts and the install path is user-invoked. Public report wording normalized to warn-only: uninstall-only agent configuration mutation is not treated as a registry-install block without another malicious chain.
Evidence
package.jsonsrc/cli/index.tssrc/targets/claude/uninstall.tssrc/targets/codex/uninstall.tssrc/targets/cursor/uninstall.tssrc/targets/copilot/uninstall.tssrc/targets/opencode/uninstall.tssrc/targets/codex/install.tsassets/templates/settings.claude.json~/.claude/settings.json~/.claude/skills~/.claude/agents~/.claude/CLAUDE.md~/.codex/hooks.json~/.codex/config.toml~/.codex/rules/default.rules~/.codex/skills~/.cursor/hooks.json~/.cursor/skills~/.cursor/agents~/.cursor/rules~/.copilot/hooks/pal-hooks.json~/.copilot/skills~/.copilot/agents

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines npm lifecycle uninstall: bun run src/cli/index.ts cli uninstall
  • src/cli/index.ts uninstall defaults to all targets when no flags are passed
  • target uninstallers modify foreign AI-agent config surfaces under ~/.claude, ~/.codex, ~/.cursor, ~/.copilot, ~/.config/opencode
  • src/targets/codex/install.ts enables hooks and merges rules in ~/.codex, but via explicit pal cli install
  • assets/templates/settings.claude.json grants broad read/search/web/Bash permissions and registers PAL hooks
Evidence against
  • .husky/install.mjs prepare is guarded to local git/dev installs and exits in production
  • No install lifecycle hook was found; main installation flow is user-invoked pal cli install/init
  • Installers mostly merge/back up existing configs and uninstallers remove PAL-owned entries
  • No credential harvesting or hardcoded exfiltration endpoint confirmed in inspected source
  • Network/API-key references are package-aligned optional tools or update/probe functionality
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
WildcardDependency
scanned 178 file(s), 1.86 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.anthropic.com, api.openai.com, api.perplexity.ai, api.x.ai, console.x.ai, generativelanguage.googleapis.com, github.com, nodejs.org, registry.npmjs.org, www.perplexity.ai

Source & flagged code

6 flagged · loading source
assets/skills/playwright/tools/shot.tsView file
14L15: import { spawnSync } from "node:child_process"; L16: import { existsSync, mkdtempSync, rmSync } from "node:fs";
High
Child Process

Package source references child process execution.

assets/skills/playwright/tools/shot.tsView on unpkg · L14
assets/skills/consulting-report/tools/dev.tsView file
30stdio: "inherit", L31: shell: true, L32: });
High
Shell

Package source references shell execution.

assets/skills/consulting-report/tools/dev.tsView on unpkg · L30
assets/skills/consulting-report/tools/generate-pdf.tsView file
87} L88: const mod = (await import(pathToFileURL(dataPath).href)) as { L89: reportData?: ReportMeta;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

assets/skills/consulting-report/tools/generate-pdf.tsView on unpkg · L87
src/cli/index.tsView file
1045log.info("Installing dependencies..."); L1046: const deps = spawnSync("bun", ["install", "--frozen-lockfile"], { L1047: cwd: pkg, ... L1051: if (deps.status !== 0) { L1052: log.warn("bun install failed — continuing anyway, but hooks may not work"); L1053: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli/index.tsView on unpkg · L1045
assets/statusline.ps1View file
path = assets/statusline.ps1 kind = build_helper sizeBytes = 9857 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/statusline.ps1View on unpkg
src/tools/skill-doctor.tsView file
matchType = previous_version_dangerous_delta matchedPackage = portable-agent-layer@0.57.1 matchedIdentity = npm:cG9ydGFibGUtYWdlbnQtbGF5ZXI:0.57.1 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/tools/skill-doctor.tsView on unpkg

Findings

1 Critical3 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/tools/skill-doctor.ts
HighChild Processassets/skills/playwright/tools/shot.ts
HighShellassets/skills/consulting-report/tools/dev.ts
HighRuntime Package Installsrc/cli/index.ts
MediumDynamic Requireassets/skills/consulting-report/tools/generate-pdf.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperassets/statusline.ps1
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings