AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. User-invoked setup CLI for an OpenCode wiki MCP integration. It modifies OpenCode config and may install opencode-ai globally, but does not run during npm install.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs opencode-wiki, npx @bip-krishna/opencode-wiki, or npm start
Impact
Registers a MediaWiki MCP server for wiki.fosscell.org and creates backups of existing OpenCode config files; no confirmed unconsented install-time hijack or exfiltration.
Mechanism
OpenCode MCP config writer with package-manager install fallback
Rationale
The package has risky agent-extension setup capabilities, including child_process, a global npm install, and MCP registration, but these are explicit CLI behavior and documented in README.md. Static inspection found no lifecycle execution, credential theft, exfiltration, persistence outside OpenCode config, or destructive behavior.
Evidence
package.jsonbin/setup.jsREADME.md~/.config/opencode~/.config/opencode/wiki-mcp-config.json~/.config/opencode/wiki-mcp-config.json.bak~/.config/opencode/opencode.json~/.config/opencode/opencode.json.bak
Network endpoints3
wiki.fosscell.orgopencode.ai/config.jsonraw.githubusercontent.com/bip-krishna/opencode/dev/scripts/quickstart.sh
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json exposes bin opencode-wiki -> ./bin/setup.js and start runs it
- bin/setup.js uses execSync for opencode --version and npm install -g opencode-ai
- bin/setup.js writes ~/.config/opencode/wiki-mcp-config.json and opencode.json
- opencode config registers npx -y @professional-wiki/mediawiki-mcp-server@0.10.0
Evidence against
- No install/preinstall/postinstall lifecycle hook; setup is user-invoked
- README documents the same OpenCode config writes and global install behavior
- No credential harvesting; username/password are null placeholders unless user edits config
- No obfuscation, eval/vm/Function, native binary loading, or destructive behavior found
Behavioral surface
ChildProcessFilesystemShell
UrlStrings
Source & flagged code
3 flagged · loading sourcebin/setup.jsView file
1#!/usr/bin/env node
L2: import { execSync } from "child_process";
L3: import { existsSync, mkdirSync, writeFileSync, readFileSync } from "fs";
High
70console.log(" " + WIKI_CONFIG);
L71: console.log("\n For interactive setup: bash -c \"$(curl -fsSL https://raw.githubusercontent.com/bip-[redacted].sh)\"");
L72: console.log("");
High
19console.log(" Installing opencode-ai...");
L20: execSync("npm install -g opencode-ai", { stdio: "inherit" });
L21: console.log(" \u2713 Installed opencode-ai\n");
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/setup.jsView on unpkg · L19Findings
3 High3 Low
HighChild Processbin/setup.js
HighShellbin/setup.js
HighRuntime Package Installbin/setup.js
LowScripts Present
LowFilesystem
LowUrl Strings