AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established. The package is a user-invoked OpenCode skill installer with agent-facing setup instructions.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `opencode-setup`; later user invokes installed OpenCode skills.
Impact
Installs agent skills that may guide MCP/token configuration; no automatic exfiltration or install-time control-surface hijack found.
Mechanism
copies bundled agent skills to home skill directory
Rationale
The risky behavior is agent-extension setup and MCP/token guidance, but it is activated by an explicit CLI and skill use rather than npm lifecycle execution or hidden import-time behavior. Static source inspection found no credential harvesting/exfiltration, automatic foreign agent config rewrite, persistence, or destructive behavior.
Evidence
package.jsonbin/cli.jsskills/install-mcp/SKILL.mdskills/github-setup/SKILL.mdskills/onboarding/SKILL.md~/.agents/skills/<skillName>~/.npmrc~/.config/opencode/opencode.jsonc
Network endpoints9
npm.pkg.github.comgithub.comid.atlassian.comfigma.comgjensidige.piwik.proastral.shopencode.ainodejs.orgraw.githubusercontent.com
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- Read-only inspection found CLI writes packaged skills into ~/.agents/skills when user runs the bin.
- Packaged skills instruct OpenCode to edit ~/.config/opencode/opencode.jsonc MCP config and collect/use GitHub/Jira/Figma/Piwik tokens.
- bin/cli.js can run `npx --yes skills add gjensidige/skills` after checking ~/.npmrc, but the function is not called.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts; behavior is user-invoked via bin.
- bin/cli.js copies bundled skills only when invoked and does not execute on import/install.
- No source exfiltration logic found; ~/.npmrc read is only a substring presence check.
- No obfuscation, eval/vm/Function, native binary loading, destructive commands, or persistence hooks found.
- MCP/config changes are instructions inside user-invoked skills, not lifecycle-triggered mutation by npm install.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
Source & flagged code
2 flagged · loading sourcebin/cli.jsView file
7import { createInterface } from "readline";
L8: import { execSync } from "child_process";
L9:
High
69if (!isDryRun) {
L70: execSync("npx --yes skills add gjensidige/skills", {
L71: stdio: "inherit",
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/cli.jsView on unpkg · L69Findings
3 High1 Medium2 Low
HighChild Processbin/cli.js
HighShell
HighRuntime Package Installbin/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem