registry  /  ttj-skills-browser  /  1.2.17

ttj-skills-browser@1.2.17

ttj-skills-browser - Dedicated CDP browser with one-shot commands (eval/goto/screenshot) and page reference visualization

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. npm postinstall mutates two user-global AI-agent skill directories. It installs package-authored instructions that affect future Claude Code and Codex sessions without an explicit setup command.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm installation or upgrade
Impact
Unconsented persistence in broad AI-agent control surfaces; installed instructions can influence later agent behavior.
Mechanism
postinstall copies and writes global AI-agent skill files
Policy narrative
On npm postinstall, the package reads its bundled skill file and silently installs it into both ~/.claude/skills and ~/.agents/skills, then creates a home-directory install marker. These are user-global agent instruction locations, so the package gains persistence and can influence future Claude Code and Codex sessions without a separate user command. Its browser CLI also offers arbitrary JavaScript evaluation in the active CDP tab, increasing the impact of the injected skill instructions.
Rationale
Direct inspection confirms an unconsented postinstall write to foreign, broad AI-agent control surfaces. This meets the blocking policy regardless of otherwise package-aligned browser automation.
Evidence
package.jsonscripts/install-skill.js.claude/skills/ttj-skills-browser/SKILL.mddist/cdp.jsdist/utils.js~/.claude/skills/ttj-skills-browser/SKILL.md~/.agents/skills/ttj-skills-browser/SKILL.md~/.ttj-skills-browser-installed
Network endpoints2
registry.npmjs.org/ttj-skills-browser/latest127.0.0.1:${port}

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/install-skill.js.
  • scripts/install-skill.js copies package SKILL.md into ~/.claude/skills/ttj-skills-browser.
  • scripts/install-skill.js writes transformed content into ~/.agents/skills/ttj-skills-browser/SKILL.md.
  • The postinstall also creates ~/.ttj-skills-browser-installed without user invocation.
  • dist/cdp.js exposes arbitrary page JavaScript through the eval CLI command.
Evidence against
  • No credential harvesting or exfiltration was found in inspected runtime modules.
  • Registry access in dist/utils.js is a version-check request to registry.npmjs.org.
  • CDP automation is activated by explicit CLI commands and connects only to 127.0.0.1.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 61.7 KB of source, external domains: 127.0.0.1, registry.npmjs.org, www.google.com, www.naver.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/utils.jsView file
5import path from 'path'; L6: import net from 'net'; L7: import https from 'https'; L8: import { exec } from 'child_process'; L9: import { promisify } from 'util'; ... L17: */ L18: export const getOsType = () => process.platform === 'win32' L19: ? 'windows' ... L25: */ L26: export const getHomeDir = () => os.homedir(); L27: /** ... L33: const isWindows = getOsType() === 'windows';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils.jsView on unpkg · L5
matchType = normalized_sha256 matchedPackage = ttj-sk[redacted]@1.2.13 matchedPath = dist/utils.js matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.13 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/utils.jsView on unpkg
scripts/install-skill.jsView file
14Install-time AI-agent control hijack evidence: L14: const skillName = 'ttj-sk[redacted]'; L15: const sk[redacted] = path.join(__dirname, '..', '.claude', 'skills', skillName); L16: const skillFile = 'SKILL.md'; ... L19: if (!fs.existsSync(dir)) { L20: fs.mkdirSync(dir, { recursive: true }); L21: } ... L43: // Claude Code: 기존 /ttj-sk[redacted] 호출 방식 유지 L44: const claudeTargetDir = path.join(homedir(), '.claude', 'skills', skillName); L45: const claudeTargetFile = path.join(claudeTargetDir, skillFile); L46: ensureDir(claudeTargetDir); L47: fs.copyFileSync(sourceFile, claudeTargetFile); L48: console.log(`✅ Claude Code 스킬 설치 완료: ${claudeTargetFile}`); Payload evidence from .claude/skills/ttj-sk[redacted]/SKILL.md: L69: L70: ### eval — 활성 탭에서 JS 실행 (결과는 JSON으로 stdout 출력) L71: ```bash ... L79: ```bash L80: ttj-sk[redacted] goto https://www.naver.com L81: ttj-sk[redacted] goto naver.com # https:// 자동 보완
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skill.jsView on unpkg · L14
dist/browser.jsView file
matchType = token_shingles matchedPackage = ttj-sk[redacted]@1.2.13 matchedPath = dist/browser.js matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.13 similarity = 1.000 shingleOverlap = 48 summary = source token shingles overlapped finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/browser.jsView on unpkg
dist/cli.jsView file
matchType = token_shingles matchedPackage = ttj-sk[redacted]@1.2.13 matchedPath = dist/cli.js matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.13 similarity = 1.000 shingleOverlap = 48 summary = source token shingles overlapped finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = ttj-sk[redacted]@1.2.16 matchedIdentity = npm:dHRqLXNraWxscy1icm93c2Vy:1.2.16 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

1 Critical6 High3 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skill.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/utils.js
HighKnown Malware Source Similaritydist/utils.js
HighKnown Malware Source Similaritydist/browser.js
HighKnown Malware Source Similaritydist/cli.js
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings