AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI performs local static analysis of standard AI-agent configuration paths when explicitly invoked; report upload is an explicit `--publish` action.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `skillmoo scan`; network requires `skillmoo scan --publish`.
Impact
Reads user and project agent-skill files during scanning; optional publish transmits the generated report.
Mechanism
Local skill-file analysis with optional report generation and user-requested upload.
Rationale
The static hints describe this package's own detection rules rather than executed malicious behavior. Source inspection shows an explicit, package-aligned local scanner with an opt-in report upload and no install-time or stealth execution.
Evidence
package.jsonbin/skillmoo.mjsREADME.md~/.claude/skills~/.claude/plugins~/.codex/skills.claude/skills.codex/skills.cursor/rules.cursorrules.github/copilot-instructions.md.github/instructions.clinerules.windsurf/rules.windsurfrulesskillmoo-report.html
Network endpoints1
skillmoo.com/api/report
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `bin/skillmoo.mjs` reads AI-agent skill and rule files when its CLI is run.
- `bin/skillmoo.mjs` can POST a generated scan report to `https://skillmoo.com/api/report`, but only with `scan --publish`.
- `bin/skillmoo.mjs` can write `skillmoo-report.html` only with `scan --report` or `--html`.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook; `prepublishOnly` is publisher-side.
- The only executable entrypoint is the user-invoked `skillmoo` CLI.
- No child-process, shell execution, eval, dynamic module loading, binary loading, deletion, or persistence API is used.
- Network code is isolated to the explicit `--publish` command; normal scanning is local.
- The reported invisible-Unicode matches are scanner regexes used to detect such characters in inspected skill content.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcebin/skillmoo.mjsView file
252contains invisible/control Unicode U+200B (zero width space)
var ZERO_WIDTH = /[<U+200B>-<U+200F><U+202A>-<U+202E><U+2060>-<U+FEFF>]/g;
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
bin/skillmoo.mjsView on unpkg · L252•Trigger-reachable chain: manifest.bin -> bin/skillmoo.mjs
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/skillmoo.mjsView on unpkgFindings
2 Critical3 Medium5 Low
CriticalTrojan Source Unicodebin/skillmoo.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/skillmoo.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings