registry  /  skillmoo  /  0.3.4

skillmoo@0.3.4

Grade the AI agent skills you've installed — safety, token bloat, and conflicts. 100% local static analysis, no model, no signup.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Running `skillmoo scan` in an interactive terminal automatically uploads a report unless suppressed. The report contains discovered AI-skill metadata and findings, not source contents.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `skillmoo scan` with a TTY and without --no-share, --json, --report, or --publish.
Impact
Unexpected disclosure of local agent-skill paths and derived security metadata.
Mechanism
Automatic POST of discovered AI-skill analysis metadata.
Rationale
Source inspection confirms unexpected automatic metadata egress during a user-invoked scan, contradicting the local-only positioning. It does not show a concrete malicious payload or unconsented install-time control-surface mutation.
Evidence
package.jsonbin/skillmoo.mjsREADME.md~/.claude/skills~/.claude/plugins~/.codex/skills.claude/skills.codex/skills.cursor/rules.github/copilot-instructions.md.github/instructions.clinerules.windsurf/rules
Network endpoints1
skillmoo.com/api/report

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • bin/skillmoo.mjs auto-publishes interactive scan results unless --no-share is used.
  • bin/skillmoo.mjs POSTs scan data to ${SKILLMOO_API||https://skillmoo.com}/api/report.
  • Published data includes discovered skill paths, names, findings, grades, and token metadata.
  • The manifest describes the CLI as fully local, conflicting with default interactive upload behavior.
Evidence against
  • package.json has only prepublishOnly; installation has no lifecycle hook.
  • No child-process execution, dynamic code loading, credential harvesting, or persistence writes were found.
  • The only writeFileSync call is an explicit --report/--html local HTML output.
  • publishReport serializes analysis metadata, not scanned SKILL.md contents.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 98.3 KB of source, external domains: skillmoo.com

Source & flagged code

3 flagged · loading source
bin/skillmoo.mjsView file
35} L36: function defaultRoots(cwd = process.cwd()) { L37: const h = homedir(); ... L160: "ps1", L161: "powershell", L162: "python", ... L173: ]); L174: var SHELLISH = /(^|\n)\s*(?:curl|wget|rm|sudo|cat|echo|export|pip3?|npm|apt|brew|chmod|chown|ssh|scp|nc|bash|sh|eval|python3?|node|base64)\b/; L175: function extractScripts(md) { ... L189: { cap: "exec", label: "Executes code", severity: "critical", re: /\b(?:curl|wget)\b[^\n|]{0,120}\|\s*(?:sudo\s+)?(?:ba)?sh\b/i, detail: "downloads a remote script and runs it (curl... L190: { cap: "exec", label: "Executes code", severity: "critical", re: /\/dev\/tcp\/\d|\bnc\b[^\n]{0,30}\s-e\b|\bncat\b[^\n]{0,30}--exec|\b(?:ba)?sh\s+-i\b[^\n]{0,24}(?:>&|<&|\d>&)|mkfif... L191: { cap: "encoded", label: "Runs encoded content", severity: "critical", re: /(?:base64\s+(?:-d|--decode)|xxd\s+-r|openssl\s+enc\s+-d|gunzip|zcat)[^\n]{0,50}\|\s*(?:sudo\s+)?(?:ba)?s...
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

bin/skillmoo.mjsView on unpkg · L35
258contains invisible/control Unicode U+200B (zero width space) var ZERO_WIDTH = /[­<U+200B>-<U+200F><U+202A>-<U+202E><U+2060>-⁤<U+FEFF>]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bin/skillmoo.mjsView on unpkg · L258
35Trigger-reachable chain: manifest.bin -> bin/skillmoo.mjs L35: } L36: function defaultRoots(cwd = process.cwd()) { L37: const h = homedir(); ... L160: "ps1", L161: "powershell", L162: "python", ... L173: ]); L174: var SHELLISH = /(^|\n)\s*(?:curl|wget|rm|sudo|cat|echo|export|pip3?|npm|apt|brew|chmod|chown|ssh|scp|nc|bash|sh|eval|python3?|node|base64)\b/; L175: function extractScripts(md) { ... L189: { cap: "exec", label: "Executes code", severity: "critical", re: /\b(?:curl|wget)\b[^\n|]{0,120}\|\s*(?:sudo\s+)?(?:ba)?sh\b/i, detail: "downloads a remote script and runs it (curl... L190: { cap: "exec", label: "Executes code", severity: "critical", re: /\/dev\/tcp\/\d|\bnc\b[^\n]{0,30}\s-e\b|\bncat\b[^\n]{0,30}--exec|\b(?:ba)?sh\s+-i\b[^\n]{0,24}(?:>&|<&|\d>&)|mkfif... L191: { cap: "encoded", label: "Runs encoded content", severity: "critical", re: /(?:base64\s+(?:-d|--decode)|xxd\s+-r|openssl\s+enc\s+-d|gunzip|zcat)[^\n]{0,50}\|\s*(?:sudo\s+)?(?:ba)?s...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/skillmoo.mjsView on unpkg · L35

Findings

3 Critical3 Medium6 Low
CriticalPersistence Backdoorbin/skillmoo.mjs
CriticalTrojan Source Unicodebin/skillmoo.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/skillmoo.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings