registry  /  @erminhhho/profile  /  0.3.1

@erminhhho/profile@0.3.1

OpenCode-first personal AI coding environment setup

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface; risky primitives are tied to the package's explicit AI environment setup purpose. The main residual risk is user-invoked remote rules/tool installation affecting agent configuration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs profile init, sync, or up CLI commands.
Impact
Writes AGENTS.md, removes documented legacy profile files, and installs/configures external tools when requested.
Mechanism
user-invoked AI environment setup and AGENTS.md generation
Rationale
Static inspection shows dangerous primitives, but they are explicit CLI behavior for a personal AI coding environment setup package and are documented rather than hidden install/import-time behavior. No concrete credential theft, exfiltration, persistence, or unconsented lifecycle agent-control mutation was found.
Evidence
package.jsonbin/profile.jssrc/cli.jssrc/commands/init.jssrc/commands/sync.jssrc/commands/up.jssrc/tools.jssrc/fs.jsREADME.mdAGENTS.md.github/copilot-instructions.md.github/profile.manifest.json.github/instructions.github/skills
Network endpoints4
raw.githubusercontent.com/DietrichGebert/ponytail/main/AGENTS.mdgithub:JuliusBrussee/cavemannpm registry for opencode/rtkPyPI for graphifyy

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • src/commands/sync.js fetches remote Ponytail rules from raw.githubusercontent.com and writes them into AGENTS.md.
  • src/tools.js runs user-invoked installers: npx GitHub caveman, npm install -g rtk, pip install graphifyy, and OpenCode hooks.
  • src/fs.js removes legacy .github agent/profile files during sync.
Evidence against
  • package.json has no install/postinstall hook; prepublishOnly is publisher-side test/version check only.
  • bin/profile.js only dispatches explicit CLI commands init/sync/up.
  • README.md documents OpenCode setup, AGENTS.md generation, legacy cleanup, and tool installation.
  • No credential harvesting, env dumping, destructive broad filesystem traversal, or exfiltration code found.
  • Network activity is limited to documented tool installation and one rules fetch for generated AGENTS.md.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 14.2 KB of source, external domains: nodejs.org, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
src/tools.jsView file
1import { execSync } from 'node:child_process' L2: import os from 'node:os'
High
Child Process

Package source references child process execution.

src/tools.jsView on unpkg · L1
src/commands/init.jsView file
25console.log(`\n → Installing OpenCode...`) L26: const npm = await import('node:child_process') L27: npm.execSync('npm install -g opencode', { encoding: 'utf8', stdio: 'inherit', timeout: 120000 }) L28: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/commands/init.jsView on unpkg · L25
src/env.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @erminhhho/profile@0.2.0 matchedIdentity = npm:QGVybWluaGhoby9wcm9maWxl:0.2.0 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/env.jsView on unpkg

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltasrc/env.js
HighChild Processsrc/tools.js
HighShell
HighRuntime Package Installsrc/commands/init.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License