registry  /  @millsydotdev/ceoinabox  /  1.3.20

@millsydotdev/ceoinabox@1.3.20

CEO-in-a-Box: AI department hierarchy plugin for OpenCode

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is an OpenCode agent-extension package that mutates the workspace control surface at plugin runtime by syncing its own agents, commands, rules, AGENTS.md, and Makefile. The behavior is package-aligned but broad enough to warrant a warning rather than a block.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenCode loads the plugin or user invokes ceo-* commands
Impact
Workspace AI-agent configuration and command surface can be changed; user-invoked commands can install MCP packages or skills.
Mechanism
first-party agent extension setup and user-invoked tooling
Rationale
Source inspection shows first-party OpenCode extension behavior with broad agent-control-surface writes at plugin runtime, but no npm lifecycle hook, credential harvesting, exfiltration, stealth persistence, or remote payload execution. Under the policy this fits an agent extension lifecycle risk warning, not a malicious publish block.
Evidence
package.jsonscripts/index.jsscripts/sync.jsscripts/mcp.jsscripts/download-skill.jsscripts/env-check.jsscripts/validate.jsscripts/lint.js.opencode/agents/*.opencode/commands/*.opencode/rules/*AGENTS.mdMakefileopencode.json.mcp.jsonceoinabox.jsonskills/<skillName>/SKILL.md
Network endpoints3
api.github.com/search/codegithub.com/millsydotdev/CEOinaBoxopencode.ai/config.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • scripts/index.js server() calls applySync(workspaceRoot,false,...) on plugin load, copying package agents/commands/rules into .opencode.
  • scripts/sync.js can copy AGENTS.md and Makefile into workspace and .opencode/{agents,commands,rules}.
  • scripts/mcp.js user command can run npm install for built-in MCP server packages and write .mcp.json.
  • scripts/download-skill.js can clone/download external skills from user-supplied URLs, then install them after scans/prompts.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and main is scripts/index.js.
  • Agent permissions registered in scripts/index.js use ask for bash/edit rather than auto-allow.
  • scripts/env-check.js only checks tool versions and env var presence; it does not print secret values or exfiltrate.
  • scripts/validate.js/setup.js/lint.js execute local project tools only when invoked as commands, not at install time.
  • No hardcoded exfiltration endpoint or remote payload execution found in inspected source.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 42 file(s), 254 KB of source, external domains: api.github.com, github.com, opencode.ai

Source & flagged code

5 flagged · loading source
scripts/env-check.jsView file
1#!/usr/bin/env node L2: import { execSync } from 'child_process'; L3: import { readFileSync, existsSync } from 'fs';
High
Child Process

Package source references child process execution.

scripts/env-check.jsView on unpkg · L1
28try { L29: raw = execSync(`${cmd} --version 2>&1`, { encoding: 'utf-8', timeout: 5_000, shell: true }).trim(); L30: } catch (e) {
High
Shell

Package source references shell execution.

scripts/env-check.jsView on unpkg · L28
scripts/validate.jsView file
29try { L30: const out = execSync('npx tsc --noEmit', { cwd: p, encoding: 'utf8', stdio: 'pipe' }); L31: if (out) console.log(out);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/validate.jsView on unpkg · L29
MakefileView file
path = Makefile kind = build_helper sizeBytes = 55 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

MakefileView on unpkg
scripts/lint.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @millsydotdev/ceoinabox@1.3.18 matchedIdentity = npm:QG1pbGxzeWRvdGRldi9jZW9pbmFib3g:1.3.18 similarity = 0.825 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/lint.jsView on unpkg

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/lint.js
HighChild Processscripts/env-check.js
HighShellscripts/env-check.js
HighRuntime Package Installscripts/validate.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperMakefile
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings