AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. This is an OpenCode agent-extension package that mutates the workspace control surface at plugin runtime by syncing its own agents, commands, rules, AGENTS.md, and Makefile. The behavior is package-aligned but broad enough to warrant a warning rather than a block.
Decision evidence
public snapshot- scripts/index.js server() calls applySync(workspaceRoot,false,...) on plugin load, copying package agents/commands/rules into .opencode.
- scripts/sync.js can copy AGENTS.md and Makefile into workspace and .opencode/{agents,commands,rules}.
- scripts/mcp.js user command can run npm install for built-in MCP server packages and write .mcp.json.
- scripts/download-skill.js can clone/download external skills from user-supplied URLs, then install them after scans/prompts.
- package.json has no preinstall/install/postinstall lifecycle hooks and main is scripts/index.js.
- Agent permissions registered in scripts/index.js use ask for bash/edit rather than auto-allow.
- scripts/env-check.js only checks tool versions and env var presence; it does not print secret values or exfiltrate.
- scripts/validate.js/setup.js/lint.js execute local project tools only when invoked as commands, not at install time.
- No hardcoded exfiltration endpoint or remote payload execution found in inspected source.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
scripts/env-check.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
scripts/validate.jsView on unpkg · L29This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scripts/lint.jsView on unpkg