registry  /  @erminhhho/profile  /  0.3.7

@erminhhho/profile@0.3.7

OpenCode-first personal AI coding environment setup

AI Security Review

scanned 2d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs profile init, profile sync, or profile up, including via npx with default init.
Impact
Can replace project agent instructions, remove legacy .github agent files, install global tools, and register a local MCP daemon for OpenCode.
Mechanism
user-invoked OpenCode/AGENTS.md setup and external tool installation
Policy narrative
On explicit CLI invocation, the package generates AGENTS.md, optionally incorporates remote Ponytail rules, installs/updates OpenCode-related tools, and writes OpenCode MCP configuration for a Dockerized Open Design daemon. This creates meaningful agent-control risk because mutable remote instructions and tool registrations affect AI coding behavior, but it is not triggered by npm installation and aligns with the package's stated setup purpose.
Rationale
Source inspection shows no lifecycle-triggered hijack, exfiltration, or covert persistence, so publish blocking is not justified. The package still warrants a warning because normal CLI use writes broad AI-agent instruction/config surfaces and installs mutable external tools/MCP components.
Evidence
package.jsonbin/profile.jssrc/cli.jssrc/commands/init.jssrc/commands/sync.jssrc/fs.jssrc/tools.jsAGENTS.md.github/copilot-instructions.md.github/profile.manifest.json.github/instructions.github/skills~/.config/opencode/opencode.json~/.config/opencode/plugins/caveman/plugin.js
Network endpoints4
raw.githubusercontent.com/DietrichGebert/ponytail/main/AGENTS.mdghcr.io/nexu-io/od:latestgithub:JuliusBrussee/caveman127.0.0.1:7456

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/profile.js defaults to init when run with no command via src/cli.js.
  • src/commands/sync.js fetches remote AGENTS.md from raw.githubusercontent.com and embeds it into generated AGENTS.md.
  • src/fs.js writes AGENTS.md and removes legacy .github Copilot/profile instruction paths in the target project.
  • src/tools.js writes ~/.config/opencode/opencode.json with an Open Design MCP server and runs docker/npx/npm/pip installers.
  • src/tools.js pulls ghcr.io/nexu-io/od:latest and starts a restarting local container with API auth disabled on 127.0.0.1:7456.
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly is publisher-side test/version check only.
  • Tool installation and agent config writes occur from user-invoked profile init/up, with --minimal and --dry-run paths.
  • No credential harvesting, secret file scanning, destructive home traversal, or data exfiltration found.
  • Network use is package-aligned setup/update behavior, not covert beaconing.
  • No eval/vm/native binary loading or obfuscated staged payloads found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 18.0 KB of source, external domains: 127.0.0.1, nodejs.org, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
src/tools.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @erminhhho/profile@0.3.1 matchedIdentity = npm:QGVybWluaGhoby9wcm9maWxl:0.3.1 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/tools.jsView on unpkg
1import { execSync } from 'node:child_process' L2: import { mkdirSync, readFileSync, writeFileSync } from 'node:fs'
High
Child Process

Package source references child process execution.

src/tools.jsView on unpkg · L1
src/commands/init.jsView file
25console.log(`\n → Installing OpenCode...`) L26: const npm = await import('node:child_process') L27: npm.execSync('npm install -g opencode', { encoding: 'utf8', stdio: 'inherit', timeout: 120000 }) L28: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/commands/init.jsView on unpkg · L25

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltasrc/tools.js
HighChild Processsrc/tools.js
HighShell
HighRuntime Package Installsrc/commands/init.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License