registry  /  opencode-setup  /  1.1.8

opencode-setup@1.1.8

Installer OpenCode-skills for ikke-utviklere — GitHub, MCP-servere og mer

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface by source inspection. The package is a user-invoked OpenCode skill installer that copies bundled skills to ~/.agents/skills and may run a package-aligned skills installer command.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs opencode-setup CLI, optionally with --all or --dry-run.
Impact
Installs or updates OpenCode skills in the user's agent skills directory; residual agent extension behavior is guarded by explicit CLI invocation.
Mechanism
copies bundled agent skills and optionally invokes npx skills add gjensidige/skills
Rationale
The suspicious primitives are aligned with an explicit CLI installer: it reads ~/.npmrc only to decide whether to offer GitHub Packages skills, copies local skill documentation into ~/.agents/skills, and has no install-time execution. Because this is user-invoked and package-aligned, no unconsented lifecycle mutation or concrete exfiltration behavior is established.
Evidence
package.jsonbin/cli.jsskills/install-mcp/SKILL.mdskills/github-setup/SKILL.mdskills/piwik-mcp/SKILL.md~/.agents/skills/<skill>~/.npmrc
Network endpoints1
npm.pkg.github.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • No npm lifecycle hooks; package.json only exposes user-invoked bin ./bin/cli.js.
    • bin/cli.js copies bundled skills only after CLI execution, not install/import time.
    • Writes are limited to ~/.agents/skills/<skill>; no .mcp.json, Claude/Codex/Cursor config, shell startup, VCS hooks, or daemon persistence seen.
    • child_process use is explicit runtime command npx --yes skills add gjensidige/skills after checking ~/.npmrc for GitHub Packages token presence.
    • ~/.npmrc is read only for substring checks and token value is not logged or transmitted by package code.
    • Bundled skill files are plain SKILL.md content; no executable payloads or prompt injection targeting this review seen.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemShell
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 7.89 KB of source

    Source & flagged code

    2 flagged · loading source
    bin/cli.jsView file
    7import { createInterface } from "readline"; L8: import { execSync } from "child_process"; L9:
    High
    Child Process

    Package source references child process execution.

    bin/cli.jsView on unpkg · L7
    69if (!isDryRun) { L70: execSync("npx --yes skills add gjensidige/skills", { L71: stdio: "inherit",
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    bin/cli.jsView on unpkg · L69

    Findings

    3 High1 Medium2 Low
    HighChild Processbin/cli.js
    HighShell
    HighRuntime Package Installbin/cli.js
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem