AI Security Review
scanned 8h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. An npm `postinstall` automatically writes package-controlled AI-agent prompts into global OpenCode and agent-skill directories. These files can influence later agent behavior after OpenCode restarts.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Installing `novel-skill-opencode@1.0.0` or importing its `main` entrypoint.
Impact
Unconsented persistence of attacker-controlled instructions across future OpenCode agent sessions.
Mechanism
Postinstall copies package-supplied agent and skill instruction files into home-directory AI-agent control paths.
Policy narrative
On npm installation, `postinstall` executes `install.js` without a user command. It creates global OpenCode and agent-skill directories beneath the user's home directory and copies seven package-owned agent prompts plus a skill prompt there. The package tells users to restart OpenCode, enabling these persisted instructions to affect subsequent agent sessions. This is an unconsented install-time mutation of a broad AI-agent control surface.
Rationale
The install hook performs the policy-defined blocking behavior: unconsented `postinstall` writes to global AI-agent control paths. Lack of network or credential theft does not remove that concrete control-hijack surface.
Evidence
package.jsoninstall.jscli.jsskills/SKILL.mdagents/novel-lead.mdagents/novel-outline.mdagents/novel-audit.mdagents/novel-writer.mdagents/novel-script.mdagents/novel-material.mdagents/novel-video.md~/.opencode/agents/novel-*.md~/.agents/skills/novel/SKILL.md
Decision evidence
public snapshotAI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- `package.json` runs `node install.js` in `postinstall`.
- `install.js` runs during installation and targets the user's home directory.
- `install.js` copies seven package agent prompts into `~/.opencode/agents/`.
- `install.js` copies `skills/SKILL.md` into `~/.agents/skills/novel/SKILL.md`.
- The installed prompts instruct an OpenCode agent system and are loaded after restart.
Evidence against
- No network endpoints or HTTP client calls found.
- No credential harvesting, environment reads, or remote payload execution found.
- Configured `config/AGENTS.md`, `config/novella.json`, and `uninstall.js` are absent, so those declared actions do not occur.
Behavioral surface
ChildProcessFilesystemShell
HighEntropyStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkginstall.jsView file
4Install-time AI-agent control hijack evidence:
L11: const paths = {
L12: agents: path.join(homeDir, '.opencode', 'agents'),
L13: skills: path.join(homeDir, '.opencode', 'skills', 'novel'),
L14: skillDir: path.join(homeDir, '.agents', 'skills', 'novel'),
...
L34: if (!fs.existsSync(dirPath)) {
L35: fs.mkdirSync(dirPath, { recursive: true });
L36: console.log(`✓ 创建目录: ${dirPath}`);
...
L42: if (fs.existsSync(source)) {
L43: fs.copyFileSync(source, target);
L44: console.log(`✓ 复制文件: ${path.basename(target)}`);
...
L73: console.log('\n📦 安装配置文件...');
L74: const configSource = path.join(sourceDir, 'config', 'AGENTS.md');
Payload evidence from skills/SKILL.md:
L4: description: "小说创作与视频生成助手:智能体分工协作系统。包含7个专业智能体和1个总经理,支持流水线模式。从想法到成品(小说+封面+短剧)全自动完成。"
L5: metadata:
L6: requires:
Critical
Ai Agent Control Hijack
Install-time source drops package-supplied AI-agent/MCP control files or instructions.
install.jsView on unpkg · L4Findings
1 Critical1 High2 Medium4 Low
CriticalAi Agent Control Hijackinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings