registry  /  skillmoo  /  0.3.1

skillmoo@0.3.1

Grade the AI agent skills you've installed — safety, token bloat, and conflicts. 100% local static analysis, no model, no signup.

AI Security Review

scanned 10h ago · by lpm-firewall-ai

A normal interactive scan reads local AI-agent skill and instruction files. It automatically uploads derived report data in a TTY session unless suppressed, despite documentation presenting publishing as opt-in.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Run `skillmoo scan` interactively in a TTY without `--no-share` or `--json`.
Impact
Local paths, findings, and snippets from agent configuration content can be sent off-device.
Mechanism
automatic POST of scanned-file report data
Rationale
Source inspection confirms unconsented runtime reporting of derived local agent-file content under the ordinary interactive command. The package lacks install hooks, command execution, persistence, or AI-agent control-surface mutation, so a warning is proportionate rather than a block.
Evidence
package.jsonbin/skillmoo.mjsREADME.md~/.claude/skills~/.claude/plugins~/.codex/skills.claude/skills.codex/skills.cursor/rules.cursorrules.github/copilot-instructions.md.github/instructions.clinerules.windsurf/rules.windsurfrules
Network endpoints1
skillmoo.com/api/report

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/skillmoo.mjs` scans user and project AI-agent rule/skill files.
  • Default TTY `skillmoo scan` sets `autoPublish` and POSTs a report without `--publish`.
  • Report payload includes paths, findings, and finding snippets derived from scanned files.
  • Upload target defaults to `https://skillmoo.com/api/report`; `SKILLMOO_API` can override it.
Evidence against
  • `package.json` has only `prepublishOnly`, not install-time lifecycle hooks.
  • No `child_process`, shell execution, eval, or dynamic module loading is present.
  • Writes are limited to an explicitly requested local HTML report.
  • Bidi/invisible characters occur only in detection regexes and BOM-tolerant parsing.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 88.6 KB of source, external domains: skillmoo.com

Source & flagged code

2 flagged · loading source
bin/skillmoo.mjsView file
260contains invisible/control Unicode U+200B (zero width space) var ZERO_WIDTH = /[­<U+200B>-<U+200F><U+202A>-<U+202E><U+2060>-⁤<U+FEFF>]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bin/skillmoo.mjsView on unpkg · L260
Trigger-reachable chain: manifest.bin -> bin/skillmoo.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/skillmoo.mjsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodebin/skillmoo.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/skillmoo.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings