registry  /  @andy-toolforge/pm-support  /  1.0.0

@andy-toolforge/pm-support@1.0.0

Toolforge domain: Project management tools — task tracker, meeting assistant, project planner

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates the consumer project by adding package-supplied AI skills under .opencode/skills. This is an unconsented lifecycle write to a broad agent control surface, even though the planted skill content is package-aligned.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs the postinstall lifecycle script
Impact
Consumer projects receive agent-facing instructions without explicit user opt-in, altering future OpenCode agent behavior for project-management tasks.
Mechanism
lifecycle symlink/copy of AI skill Markdown files
Policy narrative
On installation, npm executes skills/postinstall.js. The script creates .opencode/skills under the current project and symlinks or copies the package's Markdown skill files there if missing. Those files become agent-facing instructions for OpenCode without a user-invoked setup step or consent gate.
Rationale
The package has no credential theft, exfiltration, remote code execution, or destructive runtime behavior, but the postinstall hook unconditionally plants AI-agent skill files into a project-level OpenCode control surface. Under the install control surface policy, unconsented lifecycle mutation of a foreign/broad agent surface is blockable.
Evidence
package.jsonskills/postinstall.jsskills/pm-meeting-assistant.mdskills/pm-project-planner.mdlib/index.jslib/tracker.js.opencode/skills/pm-support-pm-meeting-assistant.md.opencode/skills/pm-support-pm-project-planner.md

Decision evidence

public snapshot
AI called this Malicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node skills/postinstall.js
  • skills/postinstall.js creates .opencode/skills in the installing project at install time
  • postinstall symlinks or copies package Markdown skill files into that agent control surface without an opt-in guard
Evidence against
  • lib/index.js only exports TaskTracker
  • lib/tracker.js is an in-memory project/task/time tracker with no network, shell, eval, or filesystem access
  • Skill files are project-management prompts and do not request secrets, persistence, or network actions
  • No network endpoints beyond publishConfig registry metadata
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 4 file(s), 22.0 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowNo License