AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/index.js` runs setup automatically when the OpenCode plugin loads.
- `dist/lib/personality-command.js` creates `~/.config/opencode/commands/create-personality.md` if absent.
- `dist/lib/personality-skill.js` writes a package-provided skill under `~/.config/opencode/skills/personality-builder/`.
- `dist/lib/orchestrator-agent.js` creates or renames the OpenCode orchestrator-agent file based on package config.
- `dist/lib/codex-prompts-cache.js` fetches remote prompt text that feeds the installed agent template.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- Agent/config writes are confined to OpenCode-owned config paths and mostly preserve existing files unless forced.
- Remote prompt URLs are pinned to a specific OpenAI Codex commit and limited to `raw.githubusercontent.com`.
- `dist/lib/remote-cache-fetch.js` enforces HTTPS, host allowlists, redirect checks, and a timeout.
- `dist/lib/cache-lock.js` dynamic import is fixed to declared dependency `proper-lockfile`, not user-controlled.
- No credential exfiltration, arbitrary shell execution, or destructive payload was found in inspected paths.
Behavioral surface
SourceChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chainHighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 89 file(s), 699 KB of source, external domains: api.github.com, api.openai.com, auth.openai.com, chat.openai.com, chatgpt.com, github.com, platform.api.openai.org, platform.openai.com, raw.githubusercontent.com, schemas.iam-brain.dev, www.w3.org