registry  /  opencode-setup  /  1.1.13

opencode-setup@1.1.13

Installer OpenCode-skills for ikke-utviklere — GitHub, MCP-servere og mer

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package is an explicit CLI that installs AI-agent skills and those skills guide users to configure MCP servers and tokens, creating agent-extension risk but not unconsented lifecycle hijack.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `opencode-setup` or `npx opencode-setup`
Impact
Can add agent skills under the user's home directory and guide token/MCP configuration if the user follows prompts.
Mechanism
user-invoked AI skill installer and MCP setup guidance
Policy narrative
Running the CLI copies bundled OpenCode-related skills into a home-directory skills folder. Those skills can later guide the agent/user through writing OpenCode MCP config and storing service tokens, including invoking npx/uvx MCP servers. This is sensitive agent-extension behavior, but it is explicit, user-invoked, documented, and no lifecycle hook or hidden exfiltration was found.
Rationale
The risky primitives are package-aligned and activated by an explicit CLI rather than install-time code. Because it installs broad agent skills and guides MCP/token setup, warn is appropriate, but there is no concrete malicious behavior to block.
Evidence
package.jsonbin/cli.jsskills/install-mcp/SKILL.mdskills/github-setup/SKILL.mdskills/onboarding/SKILL.mdskills/piwik-analytics/SKILL.md~/.agents/skills~/.npmrc~/.config/opencode/opencode.jsonc%APPDATA%\opencode\opencode.jsonc~/.zshrc~/.config/opencode/onboarding-progress.json
Network endpoints7
github.comid.atlassian.comwww.figma.comgjensidige.piwik.pronpm.pkg.github.comraw.githubusercontent.comastral.sh

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/cli.js user-invoked bin copies bundled skills into ~/.agents/skills
  • skills/install-mcp/SKILL.md instructs OpenCode config writes for GitHub/Jira/Figma/Piwik MCP servers
  • skills/install-mcp/SKILL.md asks users for API tokens and stores them in ~/.zshrc or opencode.jsonc
  • bin/cli.js can run `npx --yes skills add gjensidige/skills` after checking ~/.npmrc
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • bin/cli.js is only exposed as an explicit CLI bin
  • No credential exfiltration or hidden network endpoint in executable code
  • Network/package-manager use is visible and package-aligned for skills/MCP setup
  • Bundled skills are plaintext setup guidance, not obfuscated payloads
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.81 KB of source

Source & flagged code

2 flagged · loading source
bin/cli.jsView file
7import { createInterface } from "readline"; L8: import { execSync } from "child_process"; L9:
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L7
69if (!isDryRun) { L70: execSync("npx --yes skills add gjensidige/skills", { L71: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L69

Findings

3 High1 Medium2 Low
HighChild Processbin/cli.js
HighShell
HighRuntime Package Installbin/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem