AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface by source inspection. The package is a user-invoked OpenCode skill installer that copies bundled skills to ~/.agents/skills and may run a package-aligned skills installer command.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs opencode-setup CLI, optionally with --all or --dry-run.
Impact
Installs or updates OpenCode skills in the user's agent skills directory; residual agent extension behavior is guarded by explicit CLI invocation.
Mechanism
copies bundled agent skills and optionally invokes npx skills add gjensidige/skills
Rationale
The suspicious primitives are aligned with an explicit CLI installer: it reads ~/.npmrc only to decide whether to offer GitHub Packages skills, copies local skill documentation into ~/.agents/skills, and has no install-time execution. Because this is user-invoked and package-aligned, no unconsented lifecycle mutation or concrete exfiltration behavior is established.
Evidence
package.jsonbin/cli.jsskills/install-mcp/SKILL.mdskills/github-setup/SKILL.mdskills/piwik-mcp/SKILL.md~/.agents/skills/<skill>~/.npmrc
Network endpoints1
npm.pkg.github.com
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- No npm lifecycle hooks; package.json only exposes user-invoked bin ./bin/cli.js.
- bin/cli.js copies bundled skills only after CLI execution, not install/import time.
- Writes are limited to ~/.agents/skills/<skill>; no .mcp.json, Claude/Codex/Cursor config, shell startup, VCS hooks, or daemon persistence seen.
- child_process use is explicit runtime command npx --yes skills add gjensidige/skills after checking ~/.npmrc for GitHub Packages token presence.
- ~/.npmrc is read only for substring checks and token value is not logged or transmitted by package code.
- Bundled skill files are plain SKILL.md content; no executable payloads or prompt injection targeting this review seen.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
Source & flagged code
2 flagged · loading sourcebin/cli.jsView file
7import { createInterface } from "readline";
L8: import { execSync } from "child_process";
L9:
High
69if (!isDryRun) {
L70: execSync("npx --yes skills add gjensidige/skills", {
L71: stdio: "inherit",
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/cli.jsView on unpkg · L69Findings
3 High1 Medium2 Low
HighChild Processbin/cli.js
HighShell
HighRuntime Package Installbin/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem