registry  /  ttj-skills-browser  /  1.2.13

ttj-skills-browser@1.2.13

ttj-skills-browser - Dedicated CDP browser with one-shot commands (eval/goto/screenshot) and page reference visualization

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code modifies global Claude Code and Codex agent skill directories without user invocation. The dropped instruction file grants broad tools and instructs agents to route browser work through this package.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm postinstall
Impact
Persistent alteration of foreign AI-agent control surfaces and future agent behavior.
Mechanism
global AI-agent skill injection
Policy narrative
On installation, the postinstall script copies package-controlled instructions into the user-global Claude Code and Codex skill directories and creates a persistent installation flag. The injected skill enables Bash, Read, and Write, mandates that future browser work use this package, and exposes CDP eval, navigation, clicking, typing, and screenshots. This is an unconsented postinstall mutation of foreign/broad AI-agent control surfaces.
Rationale
Direct source inspection confirms unconsented postinstall injection into both global agent skill locations. This meets the blocking policy regardless of the absence of credential exfiltration.
Evidence
package.jsonscripts/install-skill.js.claude/skills/ttj-skills-browser/SKILL.mddist/browser.jsdist/utils.jsdist/cdp.js~/.claude/skills/ttj-skills-browser/SKILL.md~/.agents/skills/ttj-skills-browser/SKILL.md~/.ttj-skills-browser-installed
Network endpoints2
registry.npmjs.org127.0.0.1:${port}

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall.
  • scripts/install-skill.js writes ~/.claude/skills/ttj-skills-browser/SKILL.md.
  • scripts/install-skill.js writes ~/.agents/skills/ttj-skills-browser/SKILL.md.
  • The installed skill grants Bash, Read, Write and directs agent browser work through this package.
  • dist/browser.js auto-updates via npm install -g when the CLI runs.
Evidence against
  • No credential harvesting or external exfiltration found.
  • Network use is npm registry version checking and user-directed browser navigation.
  • CDP connects only to 127.0.0.1.
  • Shell execution is used for Chrome/process discovery and package self-update.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 57.3 KB of source, external domains: 127.0.0.1, registry.npmjs.org, www.google.com, www.naver.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/utils.jsView file
5import path from 'path'; L6: import net from 'net'; L7: import https from 'https'; L8: import { exec } from 'child_process'; L9: import { promisify } from 'util'; ... L17: */ L18: export const getOsType = () => process.platform === 'win32' L19: ? 'windows' ... L25: */ L26: export const getHomeDir = () => os.homedir(); L27: /** ... L33: const isWindows = getOsType() === 'windows';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils.jsView on unpkg · L5
matchType = normalized_sha256 matchedPackage = ttj-sk[redacted]@1.2.12 matchedPath = dist/utils.js matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/utils.jsView on unpkg
scripts/install-skill.jsView file
14Install-time AI-agent control hijack evidence: L14: const skillName = 'ttj-sk[redacted]'; L15: const sk[redacted] = path.join(__dirname, '..', '.claude', 'skills', skillName); L16: const skillFile = 'SKILL.md'; ... L19: if (!fs.existsSync(dir)) { L20: fs.mkdirSync(dir, { recursive: true }); L21: } ... L43: // Claude Code: 기존 /ttj-sk[redacted] 호출 방식 유지 L44: const claudeTargetDir = path.join(homedir(), '.claude', 'skills', skillName); L45: const claudeTargetFile = path.join(claudeTargetDir, skillFile); L46: ensureDir(claudeTargetDir); L47: fs.copyFileSync(sourceFile, claudeTargetFile); L48: console.log(`✅ Claude Code 스킬 설치 완료: ${claudeTargetFile}`); Payload evidence from .claude/skills/ttj-sk[redacted]/SKILL.md: L68: L69: ### eval — 활성 탭에서 JS 실행 (결과는 JSON으로 stdout 출력) L70: ```bash ... L78: ```bash L79: ttj-sk[redacted] goto https://www.naver.com L80: ttj-sk[redacted] goto naver.com # https:// 자동 보완
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L14
dist/browser.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ttj-sk[redacted]@1.2.10 matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.10 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/browser.jsView on unpkg

Findings

1 Critical4 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/utils.js
HighKnown Malware Source Similaritydist/utils.js
HighPrevious Version Dangerous Deltadist/browser.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings