registry  /  opencode-setup  /  1.1.14

opencode-setup@1.1.14

Installer OpenCode-skills for ikke-utviklere — GitHub, MCP-servere og mer

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established. The package is a user-invoked OpenCode skill installer with agent-facing setup instructions.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `opencode-setup`; later user invokes installed OpenCode skills.
Impact
Installs agent skills that may guide MCP/token configuration; no automatic exfiltration or install-time control-surface hijack found.
Mechanism
copies bundled agent skills to home skill directory
Rationale
The risky behavior is agent-extension setup and MCP/token guidance, but it is activated by an explicit CLI and skill use rather than npm lifecycle execution or hidden import-time behavior. Static source inspection found no credential harvesting/exfiltration, automatic foreign agent config rewrite, persistence, or destructive behavior.
Evidence
package.jsonbin/cli.jsskills/install-mcp/SKILL.mdskills/github-setup/SKILL.mdskills/onboarding/SKILL.md~/.agents/skills/<skillName>~/.npmrc~/.config/opencode/opencode.jsonc
Network endpoints9
npm.pkg.github.comgithub.comid.atlassian.comfigma.comgjensidige.piwik.proastral.shopencode.ainodejs.orgraw.githubusercontent.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Read-only inspection found CLI writes packaged skills into ~/.agents/skills when user runs the bin.
  • Packaged skills instruct OpenCode to edit ~/.config/opencode/opencode.jsonc MCP config and collect/use GitHub/Jira/Figma/Piwik tokens.
  • bin/cli.js can run `npx --yes skills add gjensidige/skills` after checking ~/.npmrc, but the function is not called.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts; behavior is user-invoked via bin.
  • bin/cli.js copies bundled skills only when invoked and does not execute on import/install.
  • No source exfiltration logic found; ~/.npmrc read is only a substring presence check.
  • No obfuscation, eval/vm/Function, native binary loading, destructive commands, or persistence hooks found.
  • MCP/config changes are instructions inside user-invoked skills, not lifecycle-triggered mutation by npm install.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.81 KB of source

Source & flagged code

2 flagged · loading source
bin/cli.jsView file
7import { createInterface } from "readline"; L8: import { execSync } from "child_process"; L9:
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L7
69if (!isDryRun) { L70: execSync("npx --yes skills add gjensidige/skills", { L71: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L69

Findings

3 High1 Medium2 Low
HighChild Processbin/cli.js
HighShell
HighRuntime Package Installbin/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem