registry  /  @andy-toolforge/coding-support  /  1.0.1

@andy-toolforge/coding-support@1.0.1

Toolforge domain: Code analysis tools — line counting, dead code detection, dependency graphs, complexity reports

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package has an install-time hook that plants AI-agent skill files into the consumer project's .opencode/skills directory. This is an unconsented lifecycle mutation of a broad agent control surface.

Static reason
High-risk behavior combination matched malicious policy.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install / postinstall lifecycle
Impact
alters project-level OpenCode agent behavior without explicit user invocation
Mechanism
creates .opencode/skills and symlinks or copies package markdown skills
Policy narrative
On installation, npm runs skills/postinstall.js. The script resolves the installer's current project directory, creates .opencode/skills, then symlinks or copies bundled markdown skill instructions there. Even though the skill content appears product-aligned, delivery occurs automatically during lifecycle install into a foreign/broad AI-agent control surface.
Rationale
Source inspection confirms unguarded install-time writes to .opencode/skills, which falls under the policy's blockable AI-agent control hijack category. The runtime analyzer code is otherwise benign, but it does not neutralize the lifecycle behavior.
Evidence
package.jsonskills/postinstall.jsskills/coding-code-reviewer.mdskills/coding-refactoring-advisor.md.opencode/skills/.opencode/skills/coding-support-coding-code-reviewer.md.opencode/skills/coding-support-coding-refactoring-advisor.md

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs install-time hook: node skills/postinstall.js
  • skills/postinstall.js uses process.cwd() and creates .opencode/skills in the installing project
  • skills/postinstall.js symlinks or copies package-supplied markdown skills into that OpenCode agent control surface
  • Lifecycle mutation is unprompted and not guarded to a first-party extension directory
Evidence against
  • lib/index.js only exports CodebaseAnalyzer
  • lib/codebase-analyzer.js performs local code metrics using fs/path and fast-glob
  • No network APIs, child_process, eval, credential harvesting, or remote payload loading found
  • Skill markdown content is code review/refactoring guidance, not direct exfiltration logic
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 4 file(s), 26.8 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L14: codebase-analyzer.md L15: package.json — deps: @andy-toolforge/core, fast-glob L16: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5
lib/codebase-analyzer.jsView file
matchType = malicious_source_fingerprint_signature signature = 971976c29dfc587e signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @andy-toolforge/coding-support@1.0.0 matchedPath = lib/codebase-analyzer.js matchedIdentity = npm:[redacted]:1.0.0 similarity = 1.000 shingleOverlap = 4 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

lib/codebase-analyzer.jsView on unpkg

Findings

1 Critical2 High2 Medium4 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Fingerprint Signaturelib/codebase-analyzer.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License