AI Security Review
scanned 2d ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package modifies OpenCode configuration during npm postinstall, adding itself as a plugin and creating booster config files. This is an unconsented lifecycle mutation of an AI agent control surface even though it matches the package theme.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / postinstall
Impact
OpenCode may load the package plugin automatically after install, changing AI agent behavior without a separate user command.
Mechanism
install-time OpenCode plugin registration and config file creation
Policy narrative
On installation, npm runs the package postinstall script. That invokes the bundled CLI `init`, which edits OpenCode server and TUI config files to include `@hallaxius/nim-booster`, then `init-project`, which creates a project booster config. After OpenCode restarts, the package can be loaded as an OpenCode plugin and alter key/proxy rotation behavior.
Rationale
Static inspection confirms install-time writes to OpenCode control-surface configs; under the firewall policy this is blocking behavior even though the implementation otherwise appears package-aligned and documented. No separate exfiltration or destructive payload was found. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsondist/bin.jsdist/config-installer.jsdist/config.jsdist/server.jsdist/proxy/store.jsdist/proxy/fetch-patch.jsREADME.md~/.config/opencode/opencode.json~/.config/opencode/tui.json~/.config/opencode/nim-booster/config.jsonbooster.jsonc
Network endpoints4
proxy.webshare.io/api/v2/proxy/list/proxy.webshare.io/api/v2/proxy/list/refresh/p.webshare.ioipv4.webshare.io
Decision evidence
public snapshotAI called this Malicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json postinstall runs `node dist/bin.js init` and `init-project` automatically
- dist/bin.js dispatches install-time `init` to `updateOpenCodeConfigs` and `init-project` to `writeProjectBoosterConfig`
- dist/config-installer.js writes OpenCode `opencode.json` and `tui.json` plugin entries for `@hallaxius/nim-booster`
- dist/config-installer.js creates default `nim-booster/config.json` and project `booster.jsonc` without an explicit user CLI invocation
- dist/proxy/store.js contacts `https://proxy.webshare.io/api/v2/proxy/list/` only when proxy features are configured
Evidence against
- No child_process, eval, dynamic code loading, or obfuscated payload found in inspected dist files
- Network access is package-aligned Webshare proxy API and gated by configured token/proxy use
- No evidence of credential exfiltration; tokens/keys are stored locally for the plugin feature
- README documents the postinstall OpenCode config modification behavior
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node dist/bin.js init; node dist/bin.js init-project; node -e 0
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node dist/bin.js init; node dist/bin.js init-project; node -e 0
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High2 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings