// npm package
@kidsinai/kids-opencode
Kids OpenCode — a kid-safe AI coding mentor (12+). One-command install via `bun add -g @kidsinai/kids-opencode`.
versions
15
maintainers
1
license
MIT
first publish
2026-05-16
publisher
lightman217
tarball
30,743 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-06-01
// exfil path
what is read → where it shipssteals
(no specific credential-read flag matched)
sends to
- ⚙ curl | bash(fetches + executes remote payload)
// offending code· @0.0.16· 2 files flagged
llm: malicious · 0.95→ Static analyzer matched curl-pipe-bash: unambiguous remote-code-execution shape in the install path.
- @0.0.16··AUTO-PUBLISHED·publisher: lightman217heuristic 65/100static flags 3llm malicious (0.95) via fast-trackinstall-scripts:postinstallnew-publisher:9dfirst-version-suspicious-publishermature-packagehas-source-repopublic-github-pushcurl-pipe-bashtarball-extras-suspicious:scripts/postinstall.sh
→ Static analyzer matched curl-pipe-bash: unambiguous remote-code-execution shape in the install path.
// offending code· 2 files flaggedpatterns: 3
--- install scripts --- ### postinstall sh ./scripts/postinstall.sh || true --- package/package.json (excerpt) --- { "$schema": "https://json.schemastore.org/package.json", "name": "@kidsinai/kids-opencode", "version": "0.0.16", "type": "module", "description": "Kids OpenCode — a kid-safe AI coding mentor (12+). One-command install via `bun add -g @kidsinai/kids-opencode`.", "license": "MIT", "homepage": "https://github.com/kidsinai/kids-opencode", "repository": { "type": "git", "url": "https://github.com/kidsinai/kids-opencode.git", "directory": "packages/kids-opencode" }, "keywords": [ "kids", "education", "k-12", "ai", "coding", "agentic", "opencode", "airbotix" ], "bin": { "kids-opencode": "./bin/kids-opencode" }, "scripts": { "postinstall": "sh ./scripts/postinstall.sh || true", "test": "sh -n bin/kids-opencode && sh -n scripts/postinstall.sh" }, "files": [ "bin", "scripts", "config", "README.md", "LICENSE" ], "dependencies": { "@kidsinai/kids-client": "^0.0.16", "@kidsinai/kids-opencode-plugin": "^0.0.16", "@kidsinai/kids-opencode-tui-plugin": "^0.0.16" }, "engines": { "bun": ">=1.1.0" } } --- package/scripts/postinstall.sh (excerpt) --- #!/usr/bin/env sh # # @kidsinai/kids-opencode postinstall. # # Runs once after `bun add -g @kidsinai/kids-opencode` (or npm equivalent). # Idempotent — safe to re-run on every install / update. # # What it does: # 1. Creates ~/.config/kids-opencode/ with 700 perms. # 2. Generates a random server-password if not present. # 3. Drops opencode.json (kid-safe config) if not present. # 4. Registers the plugin + tui-plugin with the AI engine (if installed). # 5. Tells the user what to do next. # # Never fails fatally — postinstall failures shouldn't block the install # (some environments run with `--ignore-scripts`). We always exit 0 and # print a friendly hint if anything's incomplete. set -e CONFIG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/kids-opencode" SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" PKG_DIR="$(cd "$SCRIPT_DIR/.." && pwd)" TEMPLATE="$PKG_DIR/config/opencode.json.template" if [ -t 1 ] && [ -z "${NO_COLOR:-}" ]; then G='\033[1;32m'; D='\033[2m'; C='\033[1;36m'; W='\033[1;33m'; O='\033[0m' else G=''; D=''; C=''; W=''; O='' fi ok() { printf " ${G}✓${O} %s\n" "$*"; } note() { printf " ${D}%s${O}\n" "$*"; } printf "${C}Kids OpenCode${O} setting up your workspace…\n" # ─── 1. private config directory ────────────────────────────────────────── mkdir -p "$CONFIG_DIR" chmod 700 "$CONFIG_DIR" 2>/dev/null || true # ─── 2. session password ────────────────────────────────────────────────── PASSWORD_FILE="$CONFIG_DIR/server-password" if [ ! -f "$PASSWORD_FILE" --- source-vs-tarball --- 1 suspicious extra(s) vs kidsinai/kids-opencode@0.0.16 suspicious extras: scripts/postinstall.sh
