registry  /  opencode-setup  /  1.1.10

opencode-setup@1.1.10

Installer OpenCode-skills for ikke-utviklere — GitHub, MCP-servere og mer

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs opencode-setup bin, optionally with --all
Impact
Installs OpenCode/agent guidance under the user's home directory and may lead a user/agent to configure MCP servers and credentials
Mechanism
copies bundled agent skills and optionally invokes npx skills add
Policy narrative
The package exposes a CLI that installs bundled OpenCode/agent skills into ~/.agents/skills and, if an npm GitHub Packages token is detected, runs an npx skills add command for Gjensidige skills. The bundled skills guide users through writing MCP blocks and tokens into OpenCode config. This is sensitive agent-extension behavior, but it is user-invoked, documented, package-aligned, and not delivered through npm lifecycle hooks.
Rationale
Source inspection shows guarded/user-invoked agent skill and MCP setup behavior rather than credential exfiltration, lifecycle hijacking, persistence, or destructive code. Because it writes a broad home agent skills namespace and supplies credential/MCP setup instructions, warn rather than mark fully clean.
Evidence
package.jsonbin/cli.jsREADME.mdskills/install-mcp/SKILL.mdskills/github-setup/SKILL.mdskills/onboarding/SKILL.mdskills/figma-mcp/SKILL.mdskills/piwik-analytics/SKILL.md~/.agents/skills~/.npmrc~/.config/opencode/opencode.jsonc~/.config/opencode/onboarding-progress.json
Network endpoints7
npm.pkg.github.comgithub.comid.atlassian.comfigma.comgjensidige.piwik.proastral.shopencode.ai

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/cli.js user-invoked bin copies bundled skills into ~/.agents/skills
  • bin/cli.js reads ~/.npmrc for npm.pkg.github.com and _authToken presence
  • bin/cli.js can run npx --yes skills add gjensidige/skills when invoked
  • skills/install-mcp/SKILL.md instructs editing OpenCode MCP config with GitHub/Jira/Figma/Piwik tokens
  • skills/onboarding/SKILL.md instructs reading/writing ~/.config/opencode/onboarding-progress.json
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • No import-time execution beyond CLI entrypoint use
  • No code reads or transmits token values; .npmrc check only tests substrings
  • No obfuscated code, eval/vm/Function, native binary, persistence, or destructive commands found
  • MCP and token setup is documented package purpose in README.md and user-guided skills
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.89 KB of source

Source & flagged code

2 flagged · loading source
bin/cli.jsView file
7import { createInterface } from "readline"; L8: import { execSync } from "child_process"; L9:
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L7
69if (!isDryRun) { L70: execSync("npx --yes skills add gjensidige/skills", { L71: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L69

Findings

3 High1 Medium2 Low
HighChild Processbin/cli.js
HighShell
HighRuntime Package Installbin/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem