// npm 패키지
@metamask/skills
Shared MetaMask agent skills installer and sync CLI.
버전
1
메인테이너
3
라이선스
MIT
최초 publish
2026-06-04
publisher
metamaskbot
tarball
7,502,057 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-06-04
// exfil path
what is read → where it shipssteals
(no specific credential-read flag matched)
sends to
- ⚙ curl | bash(fetches + executes remote payload)
// offending code· @0.1.0· 3 files flagged
llm: malicious · 0.95→ 정적 분석기가 curl-pipe-bash 패턴 검출 — 설치 경로에 원격 코드 실행 형태가 그대로 드러남.
- @0.1.0··AUTO-PUBLISHED·publisher: metamaskbotheuristic 44/100static flags 3llm malicious (0.95) via fast-trackfirst-version-of-packagehas-source-repopublisher-multi-name-burst:5publisher-version-pump:6public-github-pushcurl-pipe-bashbun-runtime-bootstrap
→ 정적 분석기가 curl-pipe-bash 패턴 검출 — 설치 경로에 원격 코드 실행 형태가 그대로 드러남.
// offending code· 3 files flaggedpatterns: 3
--- package/package.json (excerpt) --- { "name": "@metamask/skills", "version": "0.1.0", "description": "Shared MetaMask agent skills installer and sync CLI.", "license": "MIT", "type": "module", "bin": { "metamask-skills": "bin/metamask-skills.mjs" }, "files": [ "bin/", "domains/", "tools/", "README.md", "CHANGELOG.md", "LICENSE" ], "scripts": { "smoke": "node bin/metamask-skills.mjs --help", "build": "node bin/metamask-skills.mjs --help", "test": "node --test test/*.test.mjs", "pack:dry-run": "yarn pack --dry-run", "lint": "yarn lint:changelog", "lint:changelog": "auto-changelog validate --formatter oxfmt" }, "publishConfig": { "access": "public", "registry": "https://registry.npmjs.org/" }, "repository": { "type": "git", "url": "https://github.com/MetaMask/skills.git" }, "engines": { "node": "^18.18 || >=20" }, "packageManager": "yarn@4.16.0", "devDependencies": { "@metamask/auto-changelog": "^6.1.1", "oxfmt": "^0.45.0" } } --- package/domains/web3-tools/skills/oh-my-opencode/scripts/doctor.sh (excerpt) --- #!/usr/bin/env bash # oh-my-opencode doctor — diagnose configuration issues # Usage: ./scripts/doctor.sh [--verbose] set -euo pipefail VERBOSE="${1:-}" RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color pass() { echo -e " ${GREEN}✓${NC} $1"; } fail() { echo -e " ${RED}✗${NC} $1"; } warn() { echo -e " ${YELLOW}⚠${NC} $1"; } echo "=== Oh My OpenCode Doctor ===" echo "" # Check 1: OpenCode installation echo "Checking OpenCode installation..." if command -v opencode &>/dev/null; then OC_VERSION=$(opencode --version 2>/dev/null || echo "unknown") pass "OpenCode installed: $OC_VERSION" else fail "OpenCode is not installed" echo " Install: curl -fsSL https://opencode.ai/install | bash" echo " Or: npm install -g opencode-ai" exit 1 fi # Check 2: bunx available echo "Checking bunx availability..." if command -v bunx &>/dev/null; then pass "bunx is available" elif command -v npx &>/dev/null; then warn "bunx not found, npx available (bunx is recommended)" else fail "Neither bunx nor npx found" echo " Install Bun: curl -fsSL https://bun.sh/install | bash" fi # Check 3: Plugin registration echo "Checking plugin registration..." OC_CONFIG="${HOME}/.config/opencode/opencode.json" if [ -f "$OC_CONFIG" ]; then if grep -q "oh-my-opencode" "$OC_CONFIG" 2>/dev/null; then pass "oh-my-opencode registered in opencode.json" else fail "oh-my-opencode NOT found in opencode.json plugin array" --- package/domains/web3-tools/skills/oh-my-opencode/scripts/run-ulw.sh (excerpt) --- #!/usr/bin/env bash # Quick ultrawork launcher for oh-my-opencode # Usage: ./scripts/run-ulw.sh [workdir] "your prompt here" # # Examples: # ./scripts/run-ulw.sh "add authentication to the API" # ./scripts/run-ulw.sh /path/to/project "refactor the database layer" # ./scripts/run-ulw.sh . "fix all lint errors" set -euo pipefail usage() { echo "Usage: $0 [workdir] \"prompt\"" echo "" echo "Arguments:" echo " workdir Optional. Directory to run in (defaults to current directory)" echo " prompt Required. Your task description (ulw keyword is auto-prepended)" echo "" echo "Examples:" echo " $0 \"add dark mode to the settings page\"" echo " $0 /path/to/project \"fix the broken tests\"" echo " $0 . \"refactor auth module\"" exit 1 } if [ $# -eq 0 ]; then usage fi WORKDIR="." PROMPT="" if [ $# -eq 1 ]; then PROMPT="$1" elif [ $# -ge 2 ]; then WORKDIR="$1" shift PROMPT="$*" fi if [ -z "$PROMPT" ]; then echo "Error: prompt is required" usage fi # Verify opencode is installed if ! command -v opencode &>/dev/null; then echo "Error: opencode is not installed" echo "Install: curl -fsSL https://opencode.ai/install | bash" exit 1 fi # Resolve workdir WORKDIR=$(cd "$WORKDIR" && pwd) echo "=== Ultrawork Mode ===" echo "Directory: $WORKDIR" echo "Prompt: ulw $PROMPT" echo "" # Run opencode in non-interactive mode with ulw prefix cd "$WORKDIR" exec opencode run "ulw $PROMPT"
