AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package automatically installs agent skill files into a project-level .opencode/skills directory during npm postinstall. This is an unconsented lifecycle mutation of an AI-agent control surface.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall
Impact
AI agent behavior can be extended or influenced in the consumer project without explicit user action
Mechanism
postinstall creates .opencode/skills and symlinks/copies package skill markdown
Policy narrative
On installation, npm runs skills/postinstall.js. The script uses process.cwd() as the consumer project root, creates .opencode/skills, and links or copies every package markdown skill into that directory. Although the skill content appears aligned with content operations and the library code is mostly prompt-based, the delivery mechanism automatically mutates a broad project AI-agent skill surface at lifecycle time.
Rationale
Source inspection confirms automatic lifecycle installation into .opencode/skills, which falls under unconsented AI-agent control-surface mutation. The absence of exfiltration or classic malware does not remove the blockable install-time agent hijack behavior.
Evidence
package.jsonskills/postinstall.jsskills/trend-discovery.mdskills/blog-writing.mdlib/index.jslib/researcher.js.opencode/skills/content-operations-*.mdskills/*.md
Decision evidence
public snapshotAI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json runs postinstall: node skills/postinstall.js
- skills/postinstall.js creates .opencode/skills under install cwd
- postinstall symlinks or copies package .md skill files into that agent skill directory
- Lifecycle mutation is automatic and unprompted during npm install
Evidence against
- lib/index.js only exports content operation classes
- lib/*.js primarily builds LLM prompts and validates inputs
- No credential harvesting or environment scanning found
- No hardcoded network endpoint; competitor URL fetch is user-supplied and runtime-only
Behavioral surface
Filesystem
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License