registry  /  skillmoo  /  0.2.0

skillmoo@0.2.0

Grade the AI agent skills you've installed — safety, token bloat, and conflicts. 100% local static analysis, no model, no signup.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI performs local static analysis of standard AI-agent configuration paths when explicitly invoked; report upload is an explicit `--publish` action.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `skillmoo scan`; network requires `skillmoo scan --publish`.
Impact
Reads user and project agent-skill files during scanning; optional publish transmits the generated report.
Mechanism
Local skill-file analysis with optional report generation and user-requested upload.
Rationale
The static hints describe this package's own detection rules rather than executed malicious behavior. Source inspection shows an explicit, package-aligned local scanner with an opt-in report upload and no install-time or stealth execution.
Evidence
package.jsonbin/skillmoo.mjsREADME.md~/.claude/skills~/.claude/plugins~/.codex/skills.claude/skills.codex/skills.cursor/rules.cursorrules.github/copilot-instructions.md.github/instructions.clinerules.windsurf/rules.windsurfrulesskillmoo-report.html
Network endpoints1
skillmoo.com/api/report

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `bin/skillmoo.mjs` reads AI-agent skill and rule files when its CLI is run.
  • `bin/skillmoo.mjs` can POST a generated scan report to `https://skillmoo.com/api/report`, but only with `scan --publish`.
  • `bin/skillmoo.mjs` can write `skillmoo-report.html` only with `scan --report` or `--html`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook; `prepublishOnly` is publisher-side.
  • The only executable entrypoint is the user-invoked `skillmoo` CLI.
  • No child-process, shell execution, eval, dynamic module loading, binary loading, deletion, or persistence API is used.
  • Network code is isolated to the explicit `--publish` command; normal scanning is local.
  • The reported invisible-Unicode matches are scanner regexes used to detect such characters in inspected skill content.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 50.7 KB of source, external domains: skillmoo.com

Source & flagged code

2 flagged · loading source
bin/skillmoo.mjsView file
252contains invisible/control Unicode U+200B (zero width space) var ZERO_WIDTH = /[­<U+200B>-<U+200F><U+202A>-<U+202E><U+2060>-⁤<U+FEFF>]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bin/skillmoo.mjsView on unpkg · L252
Trigger-reachable chain: manifest.bin -> bin/skillmoo.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/skillmoo.mjsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodebin/skillmoo.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/skillmoo.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings