registry  /  @openviking/opencode-plugin  /  0.2.3

@openviking/opencode-plugin@0.2.3

Unified OpenCode plugin for OpenViking repository retrieval and long-term memory

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. At OpenCode plugin initialization, the package mutates the in-memory host MCP configuration to register a local OpenViking proxy. It captures chat/session content and sends it, with configured credentials, to the selected OpenViking service; the default target is localhost.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenCode loads and enables the plugin; session/chat hooks then run.
Impact
Adds a model tool surface and can transmit conversation/tool-derived memory data to the configured OpenViking endpoint.
Mechanism
First-party MCP registration plus automatic memory capture and authenticated HTTP forwarding.
Rationale
Source inspection found a package-owned OpenCode MCP registration and automatic memory capture/forwarding capability, which warrants a warning under the extension-lifecycle policy. No lifecycle-based persistence, stealth exfiltration endpoint, remote payload execution, or destructive behavior was found.
Evidence
package.jsonindex.mjslib/mcp-config.mjslib/config.mjslib/memory-session.mjsservers/mcp-proxy.mjslib/shared/setup-wizard.mjs
Network endpoints2
127.0.0.1:1933api.vikingdb.cn-beijing.volces.com/openviking

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `index.mjs` injects an enabled `openviking` MCP entry into the host config.
  • `lib/mcp-config.mjs` configures Node to execute `servers/mcp-proxy.mjs`.
  • `lib/memory-session.mjs` captures session messages and posts them to the configured service.
  • `servers/mcp-proxy.mjs` reads OpenViking credentials and forwards JSON-RPC with bearer auth.
  • `lib/shared/async-writer.mjs` contains detached child-process logic, but no caller references it.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Default service endpoint is local: `http://127.0.0.1:1933`.
  • Cloud URL setup is interactive and requires explicit confirmation before writing credentials.
  • No dynamic code loading, shell execution, foreign-agent config file writes, or hidden network host was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 143 KB of source, external domains: 127.0.0.1, api.vikingdb.cn-beijing.volces.com

Source & flagged code

1 flagged · loading source
lib/shared/async-writer.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @openviking/opencode-plugin@0.2.1 matchedIdentity = npm:[redacted]:0.2.1 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/shared/async-writer.mjsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltalib/shared/async-writer.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings