registry  /  ttj-skills-browser  /  1.2.7

ttj-skills-browser@1.2.7

ttj-skills-browser - Playwright CLI with auto-profile management

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Installation automatically mutates global Claude Code and Codex skill directories with package-supplied instructions. The installed CLI can launch a dedicated Chrome profile and run supplied JavaScript in its active page; no source-confirmed exfiltration chain was found.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
`npm install` runs postinstall; later agent or user invocation runs the CLI.
Impact
Unconsented persistent package-owned AI-agent extension setup; invoked commands can control the dedicated browser session.
Mechanism
First-party global agent-skill installation plus browser CDP automation and auto-update.
Rationale
This is a real unconsented postinstall mutation of global AI-agent extension directories, but it is limited to a first-party package-namespaced skill and lacks a concrete malicious payload or exfiltration chain. It meets the lifecycle-risk warning boundary rather than the publish-block boundary.
Evidence
package.jsonscripts/install-skill.js.claude/skills/ttj-skills-browser/SKILL.mddist/browser.jsdist/cdp.jsdist/cli.jsdist/utils.js~/.claude/skills/ttj-skills-browser/SKILL.md~/.agents/skills/ttj-skills-browser/SKILL.md~/.ttj-skills-browser-installed
Network endpoints3
registry.npmjs.org/ttj-browser/latestwww.google.com127.0.0.1:${port}

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `postinstall` executes `scripts/install-skill.js`.
  • Installer copies package skill into `~/.claude/skills/ttj-skills-browser/SKILL.md`.
  • Installer writes converted skill to `~/.agents/skills/ttj-skills-browser/SKILL.md`.
  • Installed skill directs agents to invoke browser control commands and the CLI can evaluate user-supplied page JavaScript.
  • Runtime auto-update queries `https://registry.npmjs.org/ttj-browser/latest` and can globally install the package.
Evidence against
  • AI-agent writes are confined to package-owned `ttj-skills-browser` skill directories.
  • No credential, environment, or arbitrary-file harvesting is present.
  • No outbound exfiltration endpoint or remote payload execution was found.
  • Browser eval, navigation, screenshots, and Chrome launch require explicit CLI or skill invocation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 41.6 KB of source, external domains: 127.0.0.1, registry.npmjs.org, www.google.com, www.naver.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/utils.jsView file
5import path from 'path'; L6: import net from 'net'; L7: import https from 'https'; L8: import { exec, execFile } from 'child_process'; L9: import { promisify } from 'util'; ... L19: */ L20: export const getOsType = () => process.platform === 'win32' L21: ? 'windows' ... L27: */ L28: export const getHomeDir = () => os.homedir(); L29: /** ... L35: const isWindows = getOsType() === 'windows';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils.jsView on unpkg · L5
matchType = normalized_sha256 matchedPackage = ttj-sk[redacted]@1.2.6 matchedPath = dist/utils.js matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.6 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/utils.jsView on unpkg
scripts/install-skill.jsView file
14Install-time AI-agent control hijack evidence: L14: const skillName = 'ttj-sk[redacted]'; L15: const sk[redacted] = path.join(__dirname, '..', '.claude', 'skills', skillName); L16: const skillFile = 'SKILL.md'; ... L19: if (!fs.existsSync(dir)) { L20: fs.mkdirSync(dir, { recursive: true }); L21: } ... L43: // Claude Code: 기존 /ttj-sk[redacted] 호출 방식 유지 L44: const claudeTargetDir = path.join(homedir(), '.claude', 'skills', skillName); L45: const claudeTargetFile = path.join(claudeTargetDir, skillFile); L46: ensureDir(claudeTargetDir); L47: fs.copyFileSync(sourceFile, claudeTargetFile); L48: console.log(`✅ Claude Code 스킬 설치 완료: ${claudeTargetFile}`); Payload evidence from .claude/skills/ttj-sk[redacted]/SKILL.md: L139: ``` L140: 결과는 JSON으로 stdout에 출력됩니다. L141: ... L143: ```bash L144: ttj-sk[redacted] goto https://www.naver.com L145: ttj-sk[redacted] goto naver.com # https:// 자동 보완 ... L333: L334: ```powershell L335: # Windows PowerShell
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L14

Findings

1 Critical3 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/utils.js
HighKnown Malware Source Similaritydist/utils.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings