registry  /  @andy-toolforge/content-operations  /  1.0.1

@andy-toolforge/content-operations@1.0.1

Toolforge domain: content operations — research, plan, create, distribute, analyze

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates an AI-agent skill control surface at install time. The planted files are package-aligned content-operation skills, but delivery is automatic via npm lifecycle into the consumer project.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / postinstall
Impact
A consuming project receives package-supplied OpenCode skills without an explicit user action, changing agent behavior in that project.
Mechanism
unconsented lifecycle write of AI-agent skill files
Policy narrative
On npm install, package.json invokes skills/postinstall.js. That script creates .opencode/skills under the current project and symlinks or copies package-authored markdown skills there, registering agent-facing instructions without a separate opt-in step. The skill content is content-operations oriented, but the lifecycle-triggered mutation of a broad project AI-agent control surface is the blockable behavior.
Rationale
Static inspection confirms unconsented npm lifecycle mutation of a project AI-agent skill surface, which matches the firewall policy for ai_agent_control_hijack. No additional credential theft or exfiltration was found, but those are not required for this block category.
Evidence
package.jsonskills/postinstall.jsskills/blog-writing.mdskills/content-repurposing.mdskills/editorial-calendar.mdskills/performance-analysis.mdskills/script-writing.mdskills/seo-optimization.mdskills/trend-discovery.md.opencode/skills/content-operations-blog-writing.md.opencode/skills/content-operations-content-repurposing.md.opencode/skills/content-operations-editorial-calendar.md.opencode/skills/content-operations-performance-analysis.md.opencode/skills/content-operations-script-writing.md.opencode/skills/content-operations-seo-optimization.md.opencode/skills/content-operations-trend-discovery.md

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node skills/postinstall.js
  • skills/postinstall.js uses process.cwd() and creates .opencode/skills during npm install
  • postinstall links or copies all package skill .md files into that agent skill directory
  • Dropped skills contain package-supplied OpenCode-style skill frontmatter and instructions
Evidence against
  • No child_process, eval/vm/Function, native binary loading, or credential harvesting found
  • No exfiltration endpoint found; runtime network is limited to user-supplied browserManager URL and LLMClient calls
  • lib/index.js only exports content operation classes
  • mcp-tools.js registers a package-aligned content research tool and requires code only in handler
Behavioral surface
Source
Filesystem
Supply chain
UrlStrings
Manifest
NoLicense
scanned 16 file(s), 81.8 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L23: analytics.md L24: package.json — deps: @andy-toolforge/core L25: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5

Findings

1 Critical1 High2 Medium4 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License