registry  /  ttj-skills-browser  /  1.2.12

ttj-skills-browser@1.2.12

ttj-skills-browser - Dedicated CDP browser with one-shot commands (eval/goto/screenshot) and page reference visualization

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. An npm `postinstall` modifies global Claude Code and Codex agent-skill directories without an explicit setup command. The dropped skill has auto-invocation rules and directs agent browser activity through this package.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Installing the package with npm, including dependency installation that runs lifecycle scripts.
Impact
Unconsented persistent AI-agent behavior modification; subsequent agent sessions can auto-invoke package-controlled browser automation.
Mechanism
postinstall writes package-supplied AI-agent skill instructions into global agent control surfaces.
Policy narrative
At install time, `scripts/install-skill.js` copies package-controlled instructions into the user's global Claude and Codex skill directories, then creates a home-directory marker. The installed skill is automatically invokable and instructs the AI to route browser activity through this package's CDP automation. Separately, a user-launched CLI checks the npm registry daily and executes `npm install -g ttj-skills-browser@latest` if a newer release exists. The unconsented postinstall mutation of broad AI-agent control surfaces is the concrete blocking behavior.
Rationale
This package performs an unconsented `postinstall` write into foreign global AI-agent skill locations, not merely a package-owned setup directory. That meets the firewall policy's publish-block boundary regardless of the absence of credential exfiltration.
Evidence
package.jsonscripts/install-skill.js.claude/skills/ttj-skills-browser/SKILL.mddist/browser.jsdist/utils.js~/.claude/skills/ttj-skills-browser/SKILL.md~/.agents/skills/ttj-skills-browser/SKILL.md~/.ttj-skills-browser-installed~/.ttj-skills-browser/.last-update-check
Network endpoints1
registry.npmjs.org

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `scripts/install-skill.js` in `postinstall`.
  • Installer unconditionally writes `SKILL.md` into `~/.claude/skills/ttj-skills-browser`.
  • Installer also writes a converted skill into `~/.agents/skills/ttj-skills-browser`.
  • Dropped skill enables automatic invocation and directs AI browser work through this package.
  • `dist/browser.js` auto-installs `ttj-skills-browser@latest` when its CLI later detects an update.
Evidence against
  • No source path harvests credentials or environment secrets.
  • No confirmed exfiltration endpoint beyond npm update checks.
  • CDP browser actions require explicit CLI/skill activation at runtime.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 55.4 KB of source, external domains: 127.0.0.1, registry.npmjs.org, www.google.com, www.naver.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/utils.jsView file
5import path from 'path'; L6: import net from 'net'; L7: import https from 'https'; L8: import { exec } from 'child_process'; L9: import { promisify } from 'util'; ... L17: */ L18: export const getOsType = () => process.platform === 'win32' L19: ? 'windows' ... L25: */ L26: export const getHomeDir = () => os.homedir(); L27: /** ... L33: const isWindows = getOsType() === 'windows';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils.jsView on unpkg · L5
scripts/install-skill.jsView file
14Install-time AI-agent control hijack evidence: L14: const skillName = 'ttj-sk[redacted]'; L15: const sk[redacted] = path.join(__dirname, '..', '.claude', 'skills', skillName); L16: const skillFile = 'SKILL.md'; ... L19: if (!fs.existsSync(dir)) { L20: fs.mkdirSync(dir, { recursive: true }); L21: } ... L43: // Claude Code: 기존 /ttj-sk[redacted] 호출 방식 유지 L44: const claudeTargetDir = path.join(homedir(), '.claude', 'skills', skillName); L45: const claudeTargetFile = path.join(claudeTargetDir, skillFile); L46: ensureDir(claudeTargetDir); L47: fs.copyFileSync(sourceFile, claudeTargetFile); L48: console.log(`✅ Claude Code 스킬 설치 완료: ${claudeTargetFile}`); Payload evidence from .claude/skills/ttj-sk[redacted]/SKILL.md: L68: L69: ### eval — 활성 탭에서 JS 실행 (결과는 JSON으로 stdout 출력) L70: ```bash ... L78: ```bash L79: ttj-sk[redacted] goto https://www.naver.com L80: ttj-sk[redacted] goto naver.com # https:// 자동 보완
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L14
dist/browser.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ttj-sk[redacted]@1.2.10 matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.10 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/browser.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/utils.js
HighPrevious Version Dangerous Deltadist/browser.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings