registry  /  @erminhhho/profile  /  0.3.6

@erminhhho/profile@0.3.6

OpenCode-first personal AI coding environment setup

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit CLI for setting up an OpenCode-centered AI coding environment. It mutates local project instructions and user OpenCode configuration and installs several external tools, but this is invoked by profile init/up rather than npm install lifecycle hooks.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the profile CLI, especially default `profile init` or `profile up`.
Impact
Warn-level agent extension lifecycle risk: installs global/external tools and enables a local OpenCode MCP server, but no confirmed malicious payload, exfiltration, or stealth install-time takeover was found.
Mechanism
Explicit AI-agent/toolchain setup and OpenCode MCP configuration mutation
Rationale
Static inspection confirms real AI-agent configuration mutation and runtime package/tool installation, so a clean verdict would understate lifecycle risk. Because the behavior is explicit user-command setup with package-aligned endpoints and no install-time hook, credential theft, destructive action, or remote payload execution beyond declared tool installation, it should be warned rather than blocked.
Evidence
package.jsonbin/profile.jssrc/cli.jssrc/commands/init.jssrc/commands/sync.jssrc/commands/up.jssrc/tools.jssrc/fs.jssrc/env.jssrc/renderers/agents.jsAGENTS.md.github/copilot-instructions.md.github/profile.manifest.json.github/instructions.github/skills$HOME/.config/opencode/opencode.json$HOME/.config/opencode/plugins/caveman/plugin.js/tmp/open-design-build
Network endpoints4
raw.githubusercontent.com/DietrichGebert/ponytail/main/AGENTS.mdgithub.com/nexu-io/open-design.gitgithub:JuliusBrussee/caveman127.0.0.1:7456

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/tools.js writes $HOME/.config/opencode/opencode.json with an enabled open-design MCP config.
  • src/tools.js runs user-command tool installers: npx github:JuliusBrussee/caveman, npm install -g rtk, pip install graphifyy, git clone open-design, docker compose.
  • src/commands/init.js default command installs OpenCode globally when missing and then runs setupAll unless --minimal/--dry-run is used.
  • src/commands/sync.js fetches remote AGENTS.md text from raw.githubusercontent.com and writes generated AGENTS.md into the current project.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly runs tests/version check before publishing.
  • bin/profile.js only dispatches explicit CLI commands; risky setup is user-invoked at runtime, not install-time.
  • No credential harvesting, secret file reads, broad filesystem traversal, or exfiltration endpoints found.
  • Network use is aligned with the stated AI coding environment setup/update behavior.
  • Shell commands are fixed strings or package-controlled tool commands, not attacker-supplied user input.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 17.7 KB of source, external domains: 127.0.0.1, github.com, nodejs.org, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
src/tools.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @erminhhho/profile@0.3.7 matchedIdentity = npm:QGVybWluaGhoby9wcm9maWxl:0.3.7 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/tools.jsView on unpkg
1import { execSync } from 'node:child_process' L2: import { mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs'
High
Child Process

Package source references child process execution.

src/tools.jsView on unpkg · L1
src/commands/init.jsView file
25console.log(`\n → Installing OpenCode...`) L26: const npm = await import('node:child_process') L27: npm.execSync('npm install -g opencode', { encoding: 'utf8', stdio: 'inherit', timeout: 120000 }) L28: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/commands/init.jsView on unpkg · L25

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltasrc/tools.js
HighChild Processsrc/tools.js
HighShell
HighRuntime Package Installsrc/commands/init.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License