Talos OSE resource bundle (experts).
LPM treats this as warn-only first-party agent extension lifecycle risk. No automatic npm execution or confirmed malicious payload is present. If a user activates the packaged agent presets, they can launch MCP tools with broad home-directory file access, network access, and remote package resolution.
Package source references a known benign dynamic code generation pattern.
Coder/skills/document/bin/docx-annotate.cjsView on unpkg · L2607Package ships non-JavaScript build or shell helper files.
General/skills/xlsx/scripts/office/pack.pyView on unpkgPackage contains source files above the static scanner size ceiling.
Coder/skills/document/bin/doc-gen.cjsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
Coder/skills/document/bin/doc-gen.cjsView on unpkgPackage source references a known benign dynamic code generation pattern.
Coder/skills/document/bin/docx-annotate.cjsView on unpkg · L2607Package ships non-JavaScript build or shell helper files.
General/skills/xlsx/scripts/office/pack.pyView on unpkgPackage contains source files above the static scanner size ceiling.
Coder/skills/document/bin/doc-gen.cjsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
Coder/skills/document/bin/doc-gen.cjsView on unpkg