AI Security Review
scanned 3d ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package mutates a Claude agent skills directory at npm install time. Although the bundled skill appears safety-oriented, it is still an unconsented lifecycle write into an AI-agent control surface.
Decision evidence
public snapshot- package.json defines postinstall: node postinstall.mjs
- postinstall.mjs imports ./dist/skillInstall.js and calls installSkillBestEffort during npm install
- dist/skillInstall.js copies bundled skill into ~/.claude/skills/tunnel-etiquette by default
- dist/skillInstall.js only skips on CI or TUNNEL_SKIP_SKILL_INSTALL; no install-time user consent
- skill/tunnel-etiquette/SKILL.md is an AI-agent behavior instruction file
- Skill content warns that tunnel peers are untrusted and asks for human approval before writes or risky commands
- dist/skillInstall.js does not overwrite an existing skill unless explicit installSkill overwrite is used
- dist/cloudflared/provision.js downloads cloudflared only from GitHub release URLs for package-aligned tunnel functionality
- dist/tools.js exposes user-invoked MCP tunnel tools, not import-time exfiltration
- No credential harvesting or arbitrary env/file exfiltration found in inspected source
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cloudflared/provision.jsView on unpkg · L4This package version adds a dangerous source file absent from the previous stored version.
dist/cloudflared/tunnelProcess.jsView on unpkg