registry  /  @andy-toolforge/ba-support  /  1.0.1

@andy-toolforge/ba-support@1.0.1

Toolforge domain: Business analysis support — competitor analysis, SWOT, pricing analysis, market trends, report generation

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates an Opencode AI-agent skill surface in the consumer project. It drops package-supplied skill instructions automatically during npm install.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install lifecycle postinstall
Impact
Consumer projects receive agent instructions without explicit user opt-in, altering a broad AI-agent control surface.
Mechanism
unconsented lifecycle creation of AI-agent skill files
Policy narrative
On install, npm runs skills/postinstall.js. The script uses process.cwd() as the project root, creates .opencode/skills, then symlinks or copies every package markdown skill into that directory with a ba-support prefix. This is an automatic write into an AI-agent skill/control surface, not a user-invoked setup step.
Rationale
Although the planted skills are business-analysis aligned and no exfiltration was found, the package automatically writes AI-agent control files into the consumer project during postinstall. Under the install control-surface policy, unconsented lifecycle mutation of a broad/foreign agent skill surface is blockable.
Evidence
package.jsonskills/postinstall.jsskills/ba-requirement-gatherer.mdskills/ba-competitor-analysis.md.opencode/skills/ba-support-ba-requirement-gatherer.md.opencode/skills/ba-support-ba-competitor-analysis.md

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node skills/postinstall.js
  • skills/postinstall.js creates .opencode/skills under install cwd
  • postinstall symlinks or copies package markdown skills into that agent skill directory
  • Lifecycle mutation is automatic and not guarded by opt-in or existing platform extension path
Evidence against
  • No credential/env harvesting found
  • No network calls or remote payload fetches found
  • Runtime lib/researcher.js is package-aligned LLM business-analysis functionality
Behavioral surface
Source
Filesystem
Supply chain
UrlStrings
Manifest
NoLicense
scanned 5 file(s), 24.7 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L20: } catch (e) { L21: fs.copyFileSync(src, dest); L22: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L15: swot-analyzer.md L16: package.json — deps: @andy-toolforge/core L17: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5

Findings

1 Critical1 High2 Medium4 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License