AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. At OpenCode plugin initialization, the package mutates the in-memory host MCP configuration to register a local OpenViking proxy. It captures chat/session content and sends it, with configured credentials, to the selected OpenViking service; the default target is localhost.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenCode loads and enables the plugin; session/chat hooks then run.
Impact
Adds a model tool surface and can transmit conversation/tool-derived memory data to the configured OpenViking endpoint.
Mechanism
First-party MCP registration plus automatic memory capture and authenticated HTTP forwarding.
Rationale
Source inspection found a package-owned OpenCode MCP registration and automatic memory capture/forwarding capability, which warrants a warning under the extension-lifecycle policy. No lifecycle-based persistence, stealth exfiltration endpoint, remote payload execution, or destructive behavior was found.
Evidence
package.jsonindex.mjslib/mcp-config.mjslib/config.mjslib/memory-session.mjsservers/mcp-proxy.mjslib/shared/setup-wizard.mjs
Network endpoints2
127.0.0.1:1933api.vikingdb.cn-beijing.volces.com/openviking
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `index.mjs` injects an enabled `openviking` MCP entry into the host config.
- `lib/mcp-config.mjs` configures Node to execute `servers/mcp-proxy.mjs`.
- `lib/memory-session.mjs` captures session messages and posts them to the configured service.
- `servers/mcp-proxy.mjs` reads OpenViking credentials and forwards JSON-RPC with bearer auth.
- `lib/shared/async-writer.mjs` contains detached child-process logic, but no caller references it.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Default service endpoint is local: `http://127.0.0.1:1933`.
- Cloud URL setup is interactive and requires explicit confirmation before writing credentials.
- No dynamic code loading, shell execution, foreign-agent config file writes, or hidden network host was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcelib/shared/async-writer.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @openviking/opencode-plugin@0.2.1
matchedIdentity = npm:[redacted]:0.2.1
similarity = 0.875
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/shared/async-writer.mjsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltalib/shared/async-writer.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings