registry  /  swe-workflow-skills  /  0.2.0

swe-workflow-skills@0.2.0

A curated library of 44 Claude Code Agent Skills for the software lifecycle, with orchestrator-routed activation that scales past the skill-listing budget.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit install command deploys a first-party Claude Code skill library and optional SessionStart hook. The hook changes local skill activation settings and adds workflow instructions at session boundaries; no exfiltration or remote execution is established.

Static reason
No blocking static signals were detected.
Trigger
User runs `swe-workflow-skills install` and manually registers the printed SessionStart hook snippet.
Impact
Can influence Claude Code workflow behavior and rewrite package-managed `skillOverrides` in the chosen config directory.
Mechanism
First-party Claude skill/config setup with a persistent SessionStart context hook.
Rationale
Source establishes an explicit, first-party agent-extension setup that persists workflow guidance through a manually registered hook. It is not concrete malware, but warrants a warning for AI-agent control-surface impact.
Evidence
package.jsonbin/cli.mjsinstall.mjsscripts/resolve.mjshooks/session-start.mjsuninstall.mjs.claude/skills/*.claude/hooks/resolve.mjs.claude/hooks/session-start.mjs.claude/commands/role.md.claude/settings.local.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `install.mjs` is an explicit CLI installer that copies package skills and a SessionStart hook into a selected Claude config directory.
  • `install.mjs` writes `.claude/settings.local.json` skillOverrides and installs `.claude/hooks/session-start.mjs`.
  • `hooks/session-start.mjs` dynamically imports the package-owned resolver and rewrites the local skill baseline on every SessionStart.
  • Installed hook injects persistent workflow-routing instructions into Claude session context.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook; only `prepublishOnly` runs before publishing.
  • `bin/cli.mjs` dispatches only explicit `install` or `uninstall` commands using the local Node executable.
  • No network client, endpoint, credential harvesting, shell execution, eval, or remote payload loader appears in executable source.
  • The installer explicitly does not edit `.claude/settings.json`; it prints a hook-registration snippet for the user to merge.
  • `uninstall.mjs` asks for confirmation by default and removes only package-named files plus its skillOverride entries.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 36.1 KB of source

Source & flagged code

2 flagged · loading source
hooks/session-start.mjsView file
77for (const p of [join(SCRIPT_DIR, "resolve.mjs"), join(SCRIPT_DIR, "..", "scripts", "resolve.mjs")]) { L78: if (existsSync(p)) return import(pathToFileURL(p).href); L79: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

hooks/session-start.mjsView on unpkg · L77
skills/infrastructure-as-code/references/iac-patterns.mdView file
146patternName = generic_password severity = medium line = 146 matchedText = password...123"
Medium
Secret Pattern

Hardcoded password in skills/infrastructure-as-code/references/iac-patterns.md

skills/infrastructure-as-code/references/iac-patterns.mdView on unpkg · L146

Findings

3 Medium3 Low
MediumDynamic Requirehooks/session-start.mjs
MediumEnvironment Vars
MediumSecret Patternskills/infrastructure-as-code/references/iac-patterns.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem