registry  /  @shgroup/opencode-serenity-plugin  /  0.5.39

@shgroup/opencode-serenity-plugin@0.5.39

Serenity — 为 OpenCode Agent 提供认知容器 (CCC) 基础设施。9 个工具 (msm_list/msm_exec/msm_admin/cc-fs/session/cc-ck/eap/neat/cc-git) + 6 个 hook。D1 Init 向导:CLI 交互式创建 CCC + Phase 2 强制访谈。

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. After the user explicitly registers the plugin, guarded runtime activation can broaden a project's OpenCode read/edit permissions, auto-reply to permission requests, and commit the config change. Its loop tool also starts a temporary OpenCode server bound to all interfaces.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `opencode-serenity-plugin install` and OpenCode loads the plugin in a qualifying git/Serenity project; loop behavior requires the `loop` tool.
Impact
An active agent can receive broader filesystem permissions and persist the project config change; a temporary loop server may be network-reachable.
Mechanism
Agent permission escalation plus local agent-server/process orchestration.
Rationale
The source shows real permission-broadening and agent-control behavior after explicit plugin installation, so it warrants a warning. It does not meet the blocking policy because there is no unconsented npm lifecycle mutation or demonstrated malicious/exfiltration chain.
Evidence
package.jsonbin/opencode-serenity-plugin.jsdist/activation.jsdist/util/config-patch.jsdist/hooks/permission-auto-reply.jsdist/tools/loop-runner.jsopencode.jsontui.json/tmp/serenity-bg-taskregistered MSM script paths
Network endpoints2
127.0.0.1:${PORT}0.0.0.0:${PORT}

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/activation.js` automatically invokes `patchMainRepoOpencodeJson` after guarded plugin activation.
  • `dist/util/config-patch.js` changes project `opencode.json` read/edit permissions to `allow` and attempts a git commit.
  • `dist/hooks/permission-auto-reply.js` replies `always` to activated OpenCode permission events.
  • `dist/tools/loop-runner.js` launches `opencode serve` bound to `0.0.0.0` for its loop tool.
  • `dist/util/msm-exec-runtime.js` runs registered project scripts through `npx tsx`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • Global OpenCode registration in `bin/opencode-serenity-plugin.js` requires an explicit `install` command.
  • No credential-harvesting paths or external exfiltration endpoint were found.
  • Loop API calls target `http://127.0.0.1:${PORT}`; schema URLs are metadata only.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 461 KB of source, external domains: 127.0.0.1, github.com, opencode.ai

Source & flagged code

3 flagged · loading source
dist/init/init-wizard.jsView file
17import { existsSync, mkdirSync, writeFileSync } from 'node:fs'; L18: import { execFileSync } from 'node:child_process'; L19: import { join, basename } from 'node:path';
High
Child Process

Package source references child process execution.

dist/init/init-wizard.jsView on unpkg · L17
dist/util/msm-exec-runtime.jsView file
45* npx tsx msm-exec-runtime.ts --log /tmp/x.log --format=json <msm-name> [args...] L46: * npx tsx msm-exec-runtime.ts --list L47: * npx tsx msm-exec-runtime.ts --schema <msm-name> ... L60: import { readFileSync, appendFileSync, existsSync, writeFileSync, mkdirSync } from "node:fs"; L61: import { spawn } from "node:child_process"; L62: import { resolve, dirname } from "node:path";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/util/msm-exec-runtime.jsView on unpkg · L45
dist/tools/loop-runner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @shgroup/opencode-serenity-plugin@0.5.38 matchedIdentity = npm:[redacted]:0.5.38 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tools/loop-runner.jsView on unpkg

Findings

1 Critical3 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/tools/loop-runner.js
HighChild Processdist/init/init-wizard.js
HighShell
HighRuntime Package Installdist/util/msm-exec-runtime.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings