registry  /  @andy-toolforge/book-writing  /  1.0.1

@andy-toolforge/book-writing@1.0.1

Toolforge domain: Book writing engine — outline generation, chapter writing, consistency review, multi-format export

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code mutates an Opencode agent skill directory in the consumer project. It plants package-supplied AI-agent instructions without an explicit user-invoked setup step.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / postinstall lifecycle
Impact
AI-agent control surface can be changed in the installing project, causing future agent sessions to load package-supplied instructions
Mechanism
unconsented lifecycle creation of .opencode/skills and symlink/copy of markdown skills
Policy narrative
When the package is installed, npm runs skills/postinstall.js. That script creates .opencode/skills in the current project and symlinks or copies the package's markdown skill files there, causing a project-level AI-agent skill surface to include package-supplied instructions without a separate opt-in command.
Rationale
Source inspection confirms unconsented lifecycle mutation of a broad/project AI-agent control surface via .opencode/skills, which matches the block policy even though the planted content is product-aligned. No separate exfiltration or remote execution was found.
Evidence
package.jsonskills/postinstall.jsskills/book-writing-assistant.mdskills/book-summarizer.mdlib/writer.jsmcp-tools.js.opencode/skills/book-writing-book-writing-assistant.md.opencode/skills/book-writing-book-summarizer.md

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node skills/postinstall.js
  • skills/postinstall.js creates .opencode/skills under process.cwd() at install time
  • skills/postinstall.js symlinks or copies package markdown skills into that agent skill directory
  • Dropped skills contain agent workflow instructions for book-writing and summarization
Evidence against
  • No credential/env harvesting found in reviewed source
  • No network calls or endpoints found
  • No child_process, eval, native binary, or remote code loading found
  • Runtime lib/writer.js is package-aligned book outline/chapter/review/export logic
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 5 file(s), 25.2 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L14: book-writer.md L15: package.json — deps: @andy-toolforge/core L16: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5

Findings

1 Critical1 High2 Medium3 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowNo License