registry  /  skillmoo  /  0.3.2

skillmoo@0.3.2

Grade the AI agent skills you've installed — safety, token bloat, and conflicts. 100% local static analysis, no model, no signup.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

The user-invoked CLI reads installed AI-agent instruction files for local analysis. In an interactive default scan it can automatically upload derived report metadata, contrary to its local-only claim.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `skillmoo scan` in a TTY without `--no-share`, `--json`, or `--report`.
Impact
Discloses AI-tool locations, skill names, findings, and portfolio metadata to the service.
Mechanism
Automatic POST of scan-derived report metadata
Rationale
Source establishes non-consensual-by-default metadata egress during an ordinary interactive scan and contradicts the package’s no-network documentation. No concrete malware execution, credential theft, persistence, or destructive action was found.
Evidence
package.jsonbin/skillmoo.mjsREADME.mdskillmoo-report.html
Network endpoints1
skillmoo.com/api/report

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/skillmoo.mjs` scans user/project AI-agent rule files, including `~/.claude`, `~/.codex`, Cursor, Copilot, Cline, and Windsurf paths.
  • Interactive `skillmoo scan` auto-enables publishing unless `--no-share`, `--json`, or `--report` is used.
  • `publishReport` POSTs scan-derived names, tilde-normalized paths, grades, findings, conflicts, and metadata to `https://skillmoo.com/api/report`.
  • README claims “100% local” and “no network,” but the CLI has automatic interactive upload behavior.
  • Scanner’s bidi finding is a false positive: the Unicode controls occur in `ZERO_WIDTH` detection regex at `bin/skillmoo.mjs:256`.
Evidence against
  • `package.json` has only `prepublishOnly`; there are no install-time lifecycle hooks.
  • No `child_process`, shell execution, eval, dynamic loader, native binary, or persistence behavior was found.
  • The upload payload is constructed from analysis metadata; source does not include raw skill-file contents.
  • `--no-share` and `SKILLMOO_NO_SHARE` disable publication, and `--publish` explicitly requests it.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 90.6 KB of source, external domains: skillmoo.com

Source & flagged code

2 flagged · loading source
bin/skillmoo.mjsView file
256contains invisible/control Unicode U+200B (zero width space) var ZERO_WIDTH = /[­<U+200B>-<U+200F><U+202A>-<U+202E><U+2060>-⁤<U+FEFF>]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bin/skillmoo.mjsView on unpkg · L256
Trigger-reachable chain: manifest.bin -> bin/skillmoo.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/skillmoo.mjsView on unpkg

Findings

2 Critical3 Medium6 Low
CriticalTrojan Source Unicodebin/skillmoo.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/skillmoo.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings