registry  /  @millsydotdev/ceoinabox  /  1.6.0

@millsydotdev/ceoinabox@1.6.0

AI department hierarchy plugin for OpenCode — CEO delegates work across 17 specialist engineering agents

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. When OpenCode loads the configured plugin, it synchronizes its first-party agent assets into the workspace and can overwrite differing instruction files with backups. Separate explicit commands can import remote skills or install MCP packages.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenCode plugin load; explicit `download-skill` or `mcp install` command
Impact
Can modify workspace AI-agent instructions; explicit commands can introduce external content or dependencies.
Mechanism
first-party AI-agent asset synchronization plus user-invoked remote skill/MCP setup
Rationale
Source does not support a malicious verdict, but automatic OpenCode-load synchronization mutates AI-agent instruction files and warrants a lifecycle-risk warning.
Evidence
package.jsonscripts/index.jsscripts/sync.jsscripts/download-skill.jsscripts/mcp.jsscripts/env-check.js

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/index.js` invokes `applySync()` on OpenCode plugin load.
  • `scripts/sync.js` overwrites differing `AGENTS.md` and `.opencode/{agents,commands,rules}` files, creating one `.bak` backup.
  • `scripts/download-skill.js` downloads/clones user-supplied sources and copies skills after basic scans.
  • `scripts/mcp.js` runs `npm install` under an explicit CLI install command.
Evidence against
  • `package.json` has only `prepare: husky`; no `preinstall`, `install`, or `postinstall`.
  • `scripts/env-check.js` reports whether variables are set, not their values.
  • No inspected `eval`/VM/native loader, credential exfiltration, or hard-coded exfiltration endpoint.
  • Remote skill importing requires an explicit user command and prompts on detected patterns.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 118 file(s), 808 KB of source, external domains: api.github.com, codeberg.org, evil.example.com, github.com, gitlab.com, opencode.ai

Source & flagged code

6 flagged · loading source
scripts/env-check.jsView file
1#!/usr/bin/env node L2: import { execSync } from 'child_process'; L3: import { readFileSync, existsSync } from 'fs';
High
Child Process

Package source references child process execution.

scripts/env-check.jsView on unpkg · L1
scripts/download-skill.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @millsydotdev/ceoinabox@1.3.21 matchedIdentity = npm:QG1pbGxzeWRvdGRldi9jZW9pbmFib3g:1.3.21 similarity = 0.690 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/download-skill.jsView on unpkg
27[/base64\s*-d.*(\||`|\$)/i, 'base64 decode/exec'], L28: [/(sh\s+-i|bash\s+-i|nc\s+-e|powershell\s+-enc)/i, 'reverse shell'], L29: [/rm\s+(-rf|-r\s+-f|--recursive\s+--force)\s+\//i, 'rm -rf'],
High
Shell

Package source references shell execution.

scripts/download-skill.jsView on unpkg · L27
scripts/test-perf.jsView file
50bench('Import infrastructure modules', () => { L51: import('./infra/index.js'); L52: }, 1);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/test-perf.jsView on unpkg · L50
scripts/validate.jsView file
29try { L30: const out = execSync('npx tsc --noEmit', { cwd: p, encoding: 'utf8', stdio: 'pipe' }); L31: if (out) console.log(out);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/validate.jsView on unpkg · L29
scripts/render-social-preview.shView file
path = scripts/render-social-preview.sh kind = build_helper sizeBytes = 230 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/render-social-preview.shView on unpkg

Findings

1 Critical3 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltascripts/download-skill.js
HighChild Processscripts/env-check.js
HighShellscripts/download-skill.js
HighRuntime Package Installscripts/validate.js
MediumDynamic Requirescripts/test-perf.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/render-social-preview.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings