AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package automatically mutates a broad Claude agent control surface at npm install time by copying its bundled skill into the user's home Claude skills directory. This is unconsented lifecycle delivery into a foreign AI-agent surface, even though the content is product-aligned and safety-oriented.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
Installs package-supplied agent instructions into a user-level Claude skills directory without an explicit install-skill command.
Mechanism
postinstall copies bundled Claude skill into ~/.claude/skills
Policy narrative
On package installation, the postinstall script best-effort imports the built installer and copies the bundled tunnel-etiquette skill into ~/.claude/skills/tunnel-etiquette. That writes package-supplied Claude skill instructions into a user-level agent control surface without an explicit user command, with only opt-out environment guards. Runtime tunnel/cloudflared behavior is package-aligned, but the lifecycle mutation itself is the blockable behavior.
Rationale
Static inspection confirms an unconsented npm lifecycle write into ~/.claude/skills, a foreign/broad AI-agent control surface covered by the block policy. The planted content appears benign and safety-oriented, but policy treats the lifecycle delivery mechanism as malicious control-surface hijack.
Evidence
package.jsonpostinstall.mjsdist/skillInstall.jsskill/tunnel-etiquette/SKILL.mddist/cloudflared/provision.jsdist/session.jsdist/relay/hostRelay.jsdist/relay/guestClient.jsdist/config.js~/.claude/skills/tunnel-etiquette/SKILL.md~/.tunnel/bin/cloudflared~/.tunnel/sessions/*.jsonl
Network endpoints6
github.com/cloudflare/cloudflared/releases/download/2026.6.1developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/1.1.1.1/dns-query1.0.0.1/dns-query8.8.8.8/resolve*.trycloudflare.com
Decision evidence
public snapshotAI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json defines postinstall: node postinstall.mjs.
- postinstall.mjs imports dist/skillInstall.js and calls installSkillBestEffort during npm install.
- dist/skillInstall.js defaults target to ~/.claude/skills and copies bundled skill/tunnel-etiquette there unless CI or TUNNEL_SKIP_SKILL_INSTALL is set.
- skill/tunnel-etiquette/SKILL.md is planted agent-facing behavioral guidance for Claude tunnel sessions.
- dist/cloudflared/provision.js can download and chmod a pinned cloudflared binary into ~/.tunnel/bin at runtime.
- dist/session.js and relay files expose MCP tools for agent-to-agent chat over local WebSocket plus cloudflared tunnel.
Evidence against
- The installed skill content is safety-oriented and warns agents to treat peer messages as untrusted input.
- Skill install is idempotent and does not overwrite an existing skill unless the explicit CLI install uses force.
- cloudflared download is runtime/user-invoked through tunnel_open, version-pinned, and SHA-256 verified.
- No credential harvesting, destructive behavior, shell startup persistence, or arbitrary remote code execution found in inspected source.
- Network behavior is aligned with the package's documented tunnel/MCP purpose.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings