registry  /  skill-ledger  /  0.1.2

skill-ledger@0.1.2

Cross-harness skill usage auditing with Chinese Markdown reports

AI Security Review

scanned 8h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Installed agent extensions inject audit instructions and observe tool events, writing local audit records. Explicit install commands can register the package with OpenCode or Codex. The bundled review skill can transmit selected review context to a configured model endpoint.

Static reason
No blocking static signals were detected.
Trigger
User installs/enables a supported agent extension, runs an explicit installer, or invokes the bundled code-review skill.
Impact
Agent context and tool-event content may be captured in local audit logs; an explicitly invoked review may disclose selected project context to its configured provider.
Mechanism
Agent hook instrumentation, local audit logging, explicit config mutation, and optional remote model review.
Rationale
This is not malicious by static source inspection, but it creates a first-party AI-agent extension lifecycle surface and includes an optional remote review capability. Warn so users can assess the expected context logging, configuration changes, and model-provider disclosure.
Evidence
package.json.opencode/plugins/skill-ledger.js.pi/extensions/skill-ledger.tshooks/hooks.jsonhooks/hooks-cursor.jsonscripts/skill-ledger.mjs.agents/skills/code-review-loop/scripts/call-model.mjs.skill-ledger/runs/<runId>.jsonl.skill-ledger/active/<harness>.json.skill-ledger/reports/<timestamp>.md$HOME/.config/opencode/opencode.json
Network endpoints1
api.deepseek.com/v1

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `.opencode/plugins/skill-ledger.js` injects audit bootstrap text into agent messages and records observed skill calls.
  • `hooks/hooks.json` and `hooks/hooks-cursor.json` run package hooks at session start and after tool use.
  • `scripts/skill-ledger.mjs` has explicit install commands that update OpenCode/Codex agent configuration.
  • Bundled `.agents/skills/code-review-loop/scripts/call-model.mjs` can send review payloads to configured model APIs with bearer credentials.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Audit runtime writes local `.skill-ledger` logs; no network client appears in the primary audit plugin, hooks, or CLI.
  • Model transport is a user-invoked review capability with endpoint/API key configuration, not import-time execution.
  • No credential harvesting, destructive deletion, obfuscated payload, dynamic code loading, or hidden persistence was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 31.4 KB of source, external domains: github.com, opencode.ai

Source & flagged code

1 flagged · loading source
hooks/run-hook.cmdView file
path = hooks/run-hook.cmd kind = build_helper sizeBytes = 590 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/run-hook.cmdView on unpkg

Findings

3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helperhooks/run-hook.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings