registry  /  novel-skill-opencode  /  1.0.0

novel-skill-opencode@1.0.0

小说创作技能一键安装工具 - OpenCode智能体系统

AI Security Review

scanned 8h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. An npm `postinstall` automatically writes package-controlled AI-agent prompts into global OpenCode and agent-skill directories. These files can influence later agent behavior after OpenCode restarts.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Installing `novel-skill-opencode@1.0.0` or importing its `main` entrypoint.
Impact
Unconsented persistence of attacker-controlled instructions across future OpenCode agent sessions.
Mechanism
Postinstall copies package-supplied agent and skill instruction files into home-directory AI-agent control paths.
Policy narrative
On npm installation, `postinstall` executes `install.js` without a user command. It creates global OpenCode and agent-skill directories beneath the user's home directory and copies seven package-owned agent prompts plus a skill prompt there. The package tells users to restart OpenCode, enabling these persisted instructions to affect subsequent agent sessions. This is an unconsented install-time mutation of a broad AI-agent control surface.
Rationale
The install hook performs the policy-defined blocking behavior: unconsented `postinstall` writes to global AI-agent control paths. Lack of network or credential theft does not remove that concrete control-hijack surface.
Evidence
package.jsoninstall.jscli.jsskills/SKILL.mdagents/novel-lead.mdagents/novel-outline.mdagents/novel-audit.mdagents/novel-writer.mdagents/novel-script.mdagents/novel-material.mdagents/novel-video.md~/.opencode/agents/novel-*.md~/.agents/skills/novel/SKILL.md

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node install.js` in `postinstall`.
  • `install.js` runs during installation and targets the user's home directory.
  • `install.js` copies seven package agent prompts into `~/.opencode/agents/`.
  • `install.js` copies `skills/SKILL.md` into `~/.agents/skills/novel/SKILL.md`.
  • The installed prompts instruct an OpenCode agent system and are loaded after restart.
Evidence against
  • No network endpoints or HTTP client calls found.
  • No credential harvesting, environment reads, or remote payload execution found.
  • Configured `config/AGENTS.md`, `config/novella.json`, and `uninstall.js` are absent, so those declared actions do not occur.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 4.41 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.jsView file
4Install-time AI-agent control hijack evidence: L11: const paths = { L12: agents: path.join(homeDir, '.opencode', 'agents'), L13: skills: path.join(homeDir, '.opencode', 'skills', 'novel'), L14: skillDir: path.join(homeDir, '.agents', 'skills', 'novel'), ... L34: if (!fs.existsSync(dirPath)) { L35: fs.mkdirSync(dirPath, { recursive: true }); L36: console.log(`✓ 创建目录: ${dirPath}`); ... L42: if (fs.existsSync(source)) { L43: fs.copyFileSync(source, target); L44: console.log(`✓ 复制文件: ${path.basename(target)}`); ... L73: console.log('\n📦 安装配置文件...'); L74: const configSource = path.join(sourceDir, 'config', 'AGENTS.md'); Payload evidence from skills/SKILL.md: L4: description: "小说创作与视频生成助手:智能体分工协作系统。包含7个专业智能体和1个总经理,支持流水线模式。从想法到成品(小说+封面+短剧)全自动完成。" L5: metadata: L6: requires:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

install.jsView on unpkg · L4

Findings

1 Critical1 High2 Medium4 Low
CriticalAi Agent Control Hijackinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings