AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI reads configured AI-skill files only after an explicit user command; optional report publishing is user-selected.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `skillmoo scan`, with network activity only when adding `--publish`.
Impact
Reads discovered skill/rule content and can upload derived report data only on explicit publish.
Mechanism
Local static analysis with opt-in report upload.
Rationale
Source implements a user-invoked local analyzer, an explicit local-report write, and an explicit opt-in upload feature. No lifecycle execution, hidden payload, credential harvesting, persistence, or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonbin/skillmoo.mjsREADME.md~/.claude/skills~/.claude/plugins~/.codex/skills.claude/skills.codex/skills.cursor/rules.github/copilot-instructions.md.github/instructions.clinerules.windsurf/rules
Network endpoints1
skillmoo.com/api/report
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `bin/skillmoo.mjs` scans user/project AI-skill and rule files when the CLI is invoked.
- `skillmoo scan --publish` POSTs a generated report to the opt-in `SKILLMOO_API` endpoint.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
- `bin/skillmoo.mjs` imports only Node fs/path/os APIs; no subprocess, eval, dynamic loader, or native binary execution exists.
- Network use is gated by explicit `--publish` and targets `${SKILLMOO_API||https://skillmoo.com}/api/report`.
- The only write is explicit `--report`, which creates a local HTML report in the working directory.
- The alleged invisible Unicode is the analyzer's `ZERO_WIDTH` detection regex, not concealed control flow.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcebin/skillmoo.mjsView file
260contains invisible/control Unicode U+200B (zero width space)
var ZERO_WIDTH = /[<U+200B>-<U+200F><U+202A>-<U+202E><U+2060>-<U+FEFF>]/g;
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
bin/skillmoo.mjsView on unpkg · L260•Trigger-reachable chain: manifest.bin -> bin/skillmoo.mjs
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/skillmoo.mjsView on unpkgFindings
2 Critical3 Medium5 Low
CriticalTrojan Source Unicodebin/skillmoo.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/skillmoo.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings