registry  /  skillmoo  /  0.3.0

skillmoo@0.3.0

Grade the AI agent skills you've installed — safety, token bloat, and conflicts. 100% local static analysis, no model, no signup.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI reads configured AI-skill files only after an explicit user command; optional report publishing is user-selected.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `skillmoo scan`, with network activity only when adding `--publish`.
Impact
Reads discovered skill/rule content and can upload derived report data only on explicit publish.
Mechanism
Local static analysis with opt-in report upload.
Rationale
Source implements a user-invoked local analyzer, an explicit local-report write, and an explicit opt-in upload feature. No lifecycle execution, hidden payload, credential harvesting, persistence, or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonbin/skillmoo.mjsREADME.md~/.claude/skills~/.claude/plugins~/.codex/skills.claude/skills.codex/skills.cursor/rules.github/copilot-instructions.md.github/instructions.clinerules.windsurf/rules
Network endpoints1
skillmoo.com/api/report

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `bin/skillmoo.mjs` scans user/project AI-skill and rule files when the CLI is invoked.
  • `skillmoo scan --publish` POSTs a generated report to the opt-in `SKILLMOO_API` endpoint.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
  • `bin/skillmoo.mjs` imports only Node fs/path/os APIs; no subprocess, eval, dynamic loader, or native binary execution exists.
  • Network use is gated by explicit `--publish` and targets `${SKILLMOO_API||https://skillmoo.com}/api/report`.
  • The only write is explicit `--report`, which creates a local HTML report in the working directory.
  • The alleged invisible Unicode is the analyzer's `ZERO_WIDTH` detection regex, not concealed control flow.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 68.7 KB of source, external domains: skillmoo.com

Source & flagged code

2 flagged · loading source
bin/skillmoo.mjsView file
260contains invisible/control Unicode U+200B (zero width space) var ZERO_WIDTH = /[­<U+200B>-<U+200F><U+202A>-<U+202E><U+2060>-⁤<U+FEFF>]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bin/skillmoo.mjsView on unpkg · L260
Trigger-reachable chain: manifest.bin -> bin/skillmoo.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/skillmoo.mjsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodebin/skillmoo.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/skillmoo.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings