All-in-one web workspace for Claude Code & OpenCode — chat, terminal, git, browser preview, checkpoints, and real-time collaboration
LPM treats this as warn-only first-party agent extension lifecycle risk. The application can materialize user-enabled agent skills into other AI tools' skill/instruction locations during a chat stream. This is a real agent-extension lifecycle capability, but it is not triggered at package installation and no covert payload or exfiltration chain was confirmed.
Package source references a known benign dynamic code generation pattern.
backend/preview/browser/browser-console-manager.tsView on unpkg · L215Package source references dynamic require/import behavior.
backend/chat/stream-manager.tsView on unpkg · L1398Manifest entrypoint contains risky behavior absent from dist/build output.
bin/clopen.tsView on unpkg · L7Package contains source files above the static scanner size ceiling.
dist/assets/main-LBI3a0n5.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
backend/ws/system/operations.tsView on unpkgPackage source references a known benign dynamic code generation pattern.
backend/preview/browser/browser-console-manager.tsView on unpkg · L215Package contains source files above the static scanner size ceiling.
dist/assets/main-LBI3a0n5.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
backend/ws/system/operations.tsView on unpkgPackage source references dynamic require/import behavior.
backend/chat/stream-manager.tsView on unpkg · L1398Manifest entrypoint contains risky behavior absent from dist/build output.
bin/clopen.tsView on unpkg · L7