registry  /  @andy-toolforge/pm-support  /  1.0.2

@andy-toolforge/pm-support@1.0.2

Toolforge domain: Project management tools — task tracker, meeting assistant, project planner

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs unconsented install-time mutation of a broad/foreign AI-agent control surface. The dropped content is benign-looking, but the postinstall mechanism makes package-supplied skills active in .opencode/skills.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install @andy-toolforge/pm-support
Impact
Package-controlled AI-agent skills are installed into the consuming project without an explicit setup command.
Mechanism
postinstall symlink/copy into .opencode/skills
Policy narrative
On npm install, the lifecycle hook runs skills/postinstall.js. That script creates .opencode/skills under the current project and links or copies package Markdown skills into it, making package-authored agent instructions available to the user's AI tooling without a separate opt-in setup command.
Rationale
Source inspection confirms automatic postinstall mutation of .opencode/skills, which matches the block policy for unconsented npm lifecycle mutation of a foreign/broad AI-agent control surface. No secondary exfiltration or destructive payload was found, but the lifecycle control-surface write is sufficient for a block verdict. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonskills/postinstall.jsskills/pm-meeting-assistant.mdskills/pm-project-planner.md.opencode/skills/pm-support-pm-meeting-assistant.md.opencode/skills/pm-support-pm-project-planner.md

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node skills/postinstall.js
  • skills/postinstall.js creates .opencode/skills in the install cwd
  • skills/postinstall.js symlinks or copies package Markdown skill files into that AI-agent skill directory
  • Mutation happens automatically during npm install, not by explicit user command
Evidence against
  • No network, credential harvesting, child_process, eval, or native/binary loading found
  • Runtime lib/tracker.js is an in-memory task/time tracker
  • Dropped skill files are project-management prompts without exfiltration or destructive instructions
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 5 file(s), 27.7 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node skills/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node skills/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: const projectRoot = process.cwd(); L6: const targetDir = path.join(projectRoot, '.opencode', 'skills'); L7: const sourceDir = path.join(__dirname); L8: L9: fs.mkdirSync(targetDir, { recursive: true }); L10: ... L21: // Fallback: copy if symlink fails L22: fs.copyFileSync(src, dest); L23: console.log(` 📄 Copied ${destName}`); Payload evidence from AGENTS.md: L14: task-tracker.md L15: package.json — deps: @andy-toolforge/core L16: ```
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

skills/postinstall.jsView on unpkg · L5

Findings

1 Critical1 High2 Medium3 Low
CriticalAi Agent Control Hijackskills/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowNo License