registry  /  shopport  /  0.5.0

shopport@0.5.0

커머스 운영 자동화 CLI — Cafe24, Coupang, SmartStore, Shopify 통합 관리

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Installation silently invokes an agent-skill setup command. The CLI copies this package's bundled skill directories into Claude Code's user skill directory, enabling package-defined workflows to be discovered by an agent.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
`npm install` or `npm update` executes `postinstall`.
Impact
Adds implicitly invocable commerce automation skill definitions to the local Claude Code skill surface.
Mechanism
postinstall registration of first-party Claude Code skills
Rationale
Source confirms an install-time mutation of a first-party AI-agent extension surface. Under the stated policy, this warrants a warning rather than a block absent a concrete malicious chain.
Evidence
package.jsondist/cli.jsdist/skills/README.mddist/skills/shopport/agents/openai.yamldist/skills~/.claude/skills

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `dist/cli.js setup-skills` automatically in `postinstall`.
  • `dist/cli.js` copies bundled skills into `~/.claude/skills` using filesystem operations.
  • Bundled `agents/openai.yaml` files permit implicit agent invocation.
Evidence against
  • The setup routine copies the package's own `dist/skills` directory; no foreign agent-control files were identified.
  • No source evidence of credential harvesting, shell payload download, or install-time network exfiltration.
  • Observed service endpoints support the documented commerce CLI and its cloud onboarding.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 1 file(s), 2.06 MB of source, external domains: admin.shopify.com, apicenter.commerce.naver.com, cjdropshipping.com, console.apify.com, developer.wehago.com, developers.cafe24.com, developers.naver.com, github.com, mobile.domeggook.com, newpin.wconcept.co.kr, openapi.29cm.co.kr, partner.musinsa.com, partner.smartstore.naver.com, plto.com, react.dev, rocketsell-proxy.fly.dev, searchad.naver.com, sell.smartstore.naver.com, shopping-seller.toss.im, shopport.vercel.app, whatismyipaddress.com, wing.coupang.com, www.boxhero.io, www.cafe24.com, www.google.com, www.w3.org
Oversized source lightweight scan
dist/cli.js2.06 MB file, sampled 256 KB
NetworkEnvironmentVarsObfuscatedHighEntropyStringsMinified

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('child_process').execFileSync(process.execPath,['dist/cli.js','setup-skills'],{stdio:'pipe'})}catch(_){}"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('child_process').execFileSync(process.execPath,['dist/cli.js','setup-skills'],{stdio:'pipe'})}catch(_){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/dashboard-ui/assets/index-ChYTl53S.jsView file
467`+b.message)}var a=new Ee;a.add(n),a.isGeoSVGGraphicRoot=!0;var i=t.width,o=t.height,s=t.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,c=void 0,f=void 0,h=void 0;if(i!=null?... L468: `+i.message)}return Z1e(t,a),P(a,function(i){var o=i.name;Q1e(t,i),ebe(t,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),a... L469: `))}),e.join(`
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dashboard-ui/assets/index-ChYTl53S.jsView on unpkg · L467
dist/cli.jsView file
path = dist/cli.js kind = oversized_source_file sizeBytes = 2157597 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.jsView on unpkg
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 2157597 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg

Findings

1 Critical3 High4 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated
HighOversized Source Filedist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/dashboard-ui/assets/index-ChYTl53S.js
LowHigh Entropy Strings
LowUrl Strings
LowNo License