AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package is an explicit CLI that installs AI-agent skills and those skills guide users to configure MCP servers and tokens, creating agent-extension risk but not unconsented lifecycle hijack.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `opencode-setup` or `npx opencode-setup`
Impact
Can add agent skills under the user's home directory and guide token/MCP configuration if the user follows prompts.
Mechanism
user-invoked AI skill installer and MCP setup guidance
Policy narrative
Running the CLI copies bundled OpenCode-related skills into a home-directory skills folder. Those skills can later guide the agent/user through writing OpenCode MCP config and storing service tokens, including invoking npx/uvx MCP servers. This is sensitive agent-extension behavior, but it is explicit, user-invoked, documented, and no lifecycle hook or hidden exfiltration was found.
Rationale
The risky primitives are package-aligned and activated by an explicit CLI rather than install-time code. Because it installs broad agent skills and guides MCP/token setup, warn is appropriate, but there is no concrete malicious behavior to block.
Evidence
package.jsonbin/cli.jsskills/install-mcp/SKILL.mdskills/github-setup/SKILL.mdskills/onboarding/SKILL.mdskills/piwik-analytics/SKILL.md~/.agents/skills~/.npmrc~/.config/opencode/opencode.jsonc%APPDATA%\opencode\opencode.jsonc~/.zshrc~/.config/opencode/onboarding-progress.json
Network endpoints7
github.comid.atlassian.comwww.figma.comgjensidige.piwik.pronpm.pkg.github.comraw.githubusercontent.comastral.sh
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- bin/cli.js user-invoked bin copies bundled skills into ~/.agents/skills
- skills/install-mcp/SKILL.md instructs OpenCode config writes for GitHub/Jira/Figma/Piwik MCP servers
- skills/install-mcp/SKILL.md asks users for API tokens and stores them in ~/.zshrc or opencode.jsonc
- bin/cli.js can run `npx --yes skills add gjensidige/skills` after checking ~/.npmrc
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks
- bin/cli.js is only exposed as an explicit CLI bin
- No credential exfiltration or hidden network endpoint in executable code
- Network/package-manager use is visible and package-aligned for skills/MCP setup
- Bundled skills are plaintext setup guidance, not obfuscated payloads
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
Source & flagged code
2 flagged · loading sourcebin/cli.jsView file
7import { createInterface } from "readline";
L8: import { execSync } from "child_process";
L9:
High
69if (!isDryRun) {
L70: execSync("npx --yes skills add gjensidige/skills", {
L71: stdio: "inherit",
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/cli.jsView on unpkg · L69Findings
3 High1 Medium2 Low
HighChild Processbin/cli.js
HighShell
HighRuntime Package Installbin/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem