registry  /  @andy-toolforge/ba-support  /  1.0.0

@andy-toolforge/ba-support@1.0.0

Toolforge domain: Business analysis support — competitor analysis, SWOT, pricing analysis, market trends, report generation

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package has an install-time AI-agent control-surface write. On npm install it creates .opencode/skills in the consuming project and drops package Markdown skills there via symlink or copy.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install / postinstall
Impact
Installs package-supplied agent instructions into the consumer project's AI-agent skill surface without explicit user action.
Mechanism
unconsented lifecycle registration of OpenCode skills
Policy narrative
During npm installation, the postinstall script resolves the consumer project root from process.cwd(), creates .opencode/skills, then symlinks or copies every Markdown skill from the package into that directory with a ba-support prefix. This plants package-controlled AI-agent skills into a project-level OpenCode control surface as a lifecycle side effect, with no opt-in or path guard.
Rationale
Although the skill content appears product-aligned and no exfiltration or shell execution was found, the unconsented postinstall write into a broad AI-agent control surface matches the blockable lifecycle control-hijack policy. The malicious verdict is based on delivery mechanism and target, not on classic malware behavior.
Evidence
package.jsonskills/postinstall.jsskills/ba-requirement-gatherer.mdskills/ba-competitor-analysis.mdlib/researcher.js.opencode/skills

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall lifecycle: node skills/postinstall.js
  • skills/postinstall.js runs at npm install and creates .opencode/skills under process.cwd()
  • postinstall symlinks or copies package Markdown skill files into that OpenCode agent skill directory without an opt-in check
  • Lifecycle mutation targets a project-level AI agent control surface outside package-owned files
Evidence against
  • No network calls or remote endpoints in source inspection
  • No child_process, eval/vm/Function, native binary loading, credential harvesting, or exfiltration found
  • lib/researcher.js only uses caller-provided llmClient for business-analysis prompts
Behavioral surface
Source
Filesystem
Supply chain
UrlStrings
Manifest
NoLicense
scanned 4 file(s), 19.9 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License