AI Security Review
scanned 5h ago · by lpm-firewall-aiThe user-invoked CLI reads installed AI-agent instruction files for local analysis. In an interactive default scan it can automatically upload derived report metadata, contrary to its local-only claim.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `skillmoo scan` in a TTY without `--no-share`, `--json`, or `--report`.
Impact
Discloses AI-tool locations, skill names, findings, and portfolio metadata to the service.
Mechanism
Automatic POST of scan-derived report metadata
Rationale
Source establishes non-consensual-by-default metadata egress during an ordinary interactive scan and contradicts the package’s no-network documentation. No concrete malware execution, credential theft, persistence, or destructive action was found.
Evidence
package.jsonbin/skillmoo.mjsREADME.mdskillmoo-report.html
Network endpoints1
skillmoo.com/api/report
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/skillmoo.mjs` scans user/project AI-agent rule files, including `~/.claude`, `~/.codex`, Cursor, Copilot, Cline, and Windsurf paths.
- Interactive `skillmoo scan` auto-enables publishing unless `--no-share`, `--json`, or `--report` is used.
- `publishReport` POSTs scan-derived names, tilde-normalized paths, grades, findings, conflicts, and metadata to `https://skillmoo.com/api/report`.
- README claims “100% local” and “no network,” but the CLI has automatic interactive upload behavior.
- Scanner’s bidi finding is a false positive: the Unicode controls occur in `ZERO_WIDTH` detection regex at `bin/skillmoo.mjs:256`.
Evidence against
- `package.json` has only `prepublishOnly`; there are no install-time lifecycle hooks.
- No `child_process`, shell execution, eval, dynamic loader, native binary, or persistence behavior was found.
- The upload payload is constructed from analysis metadata; source does not include raw skill-file contents.
- `--no-share` and `SKILLMOO_NO_SHARE` disable publication, and `--publish` explicitly requests it.
Behavioral surface
ChildProcessEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcebin/skillmoo.mjsView file
256contains invisible/control Unicode U+200B (zero width space)
var ZERO_WIDTH = /[<U+200B>-<U+200F><U+202A>-<U+202E><U+2060>-<U+FEFF>]/g;
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
bin/skillmoo.mjsView on unpkg · L256•Trigger-reachable chain: manifest.bin -> bin/skillmoo.mjs
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/skillmoo.mjsView on unpkgFindings
2 Critical3 Medium6 Low
CriticalTrojan Source Unicodebin/skillmoo.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/skillmoo.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings