registry  /  @andy-toolforge/coding-support  /  1.0.2

@andy-toolforge/coding-support@1.0.2

Toolforge domain: Code analysis tools — line counting, dead code detection, dependency graphs, complexity reports

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package has an install-time AI-agent control-surface write. npm install executes a postinstall script that installs package-supplied OpenCode skills into the consuming project.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or any lifecycle-running package installation
Impact
Unconsented modification of a broad AI-agent skill directory in the consuming project; no exfiltration or remote payload behavior observed.
Mechanism
postinstall creates .opencode/skills and symlinks or copies markdown skill files
Policy narrative
On installation, npm runs skills/postinstall.js. That script uses process.cwd() as the project root, creates .opencode/skills, then symlinks or copies each markdown skill from the package into that agent skill directory with a coding-support prefix. This is not merely package-owned runtime code; it mutates an AI-agent control surface in the consuming project during install.
Rationale
Source inspection confirms unconsented postinstall mutation of a project-level OpenCode skill directory, which matches the firewall block policy for broad AI-agent control-surface writes. No network exfiltration or remote code execution was found, but the install-time agent configuration mutation is sufficient for block. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonskills/postinstall.jsskills/coding-code-reviewer.mdskills/coding-refactoring-advisor.mdlib/codebase-analyzer.jsmcp-tools.js.opencode/skills/coding-support-coding-code-reviewer.md.opencode/skills/coding-support-coding-refactoring-advisor.md

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node skills/postinstall.js.
  • skills/postinstall.js runs at install time and creates .opencode/skills under process.cwd().
  • postinstall links or copies package markdown skill files into the project AI-agent skill directory without an explicit user command.
  • Dropped skills instruct AI code review/refactoring behavior, making this an AI-agent control-surface mutation.
Evidence against
  • No network APIs, HTTP endpoints, or credential harvesting found in reviewed files.
  • No child_process, eval/vm/Function, native binary loading, destructive deletion, or persistence beyond dropped .opencode skill files.
  • Runtime library lib/codebase-analyzer.js is aligned with advertised code analysis features and reads user-selected files/globs.
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 5 file(s), 31.2 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L14: codebase-analyzer.md L15: package.json — deps: @andy-toolforge/core, fast-glob L16: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5

Findings

1 Critical1 High2 Medium4 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License