AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time script mutates a project-level AI agent skill directory. It plants package-provided instructions into .opencode/skills without user invocation beyond npm install.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install / postinstall lifecycle
Impact
AI agent control-surface mutation in the consuming project
Mechanism
unconsented lifecycle creation of OpenCode skill links/copies
Policy narrative
On install, npm runs skills/postinstall.js. The script resolves the consumer project as process.cwd(), creates .opencode/skills, then symlinks or copies package-supplied Markdown skill instructions into that AI agent control surface. There is no prompt, environment gate, existing-install check, or explicit CLI opt-in.
Rationale
The runtime library is benign local code analysis, but the lifecycle hook unconditionally plants agent instructions into a project-level .opencode skill surface. Under the install control-surface policy, unconsented lifecycle mutation of a broad/foreign AI-agent control surface is blockable even if the content is package-aligned.
Evidence
package.jsonskills/postinstall.jsskills/coding-code-reviewer.mdskills/coding-refactoring-advisor.mdlib/index.jslib/codebase-analyzer.js.opencode/skills/coding-support-coding-code-reviewer.md.opencode/skills/coding-support-coding-refactoring-advisor.md
Decision evidence
public snapshotAI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json runs postinstall: node skills/postinstall.js
- skills/postinstall.js uses process.cwd() and creates .opencode/skills during install
- postinstall symlinks or copies package Markdown skill files into the consumer project's .opencode/skills agent surface without an opt-in guard
Evidence against
- lib/index.js only exports CodebaseAnalyzer
- lib/codebase-analyzer.js performs local static analysis with fs/path and fast-glob
- No network, child_process, eval, credential harvesting, or destructive file operations found
Behavioral surface
ChildProcessFilesystem
HighEntropyStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License