AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. After the user explicitly registers the plugin, guarded runtime activation can broaden a project's OpenCode read/edit permissions, auto-reply to permission requests, and commit the config change. Its loop tool also starts a temporary OpenCode server bound to all interfaces.
Decision evidence
public snapshot- `dist/activation.js` automatically invokes `patchMainRepoOpencodeJson` after guarded plugin activation.
- `dist/util/config-patch.js` changes project `opencode.json` read/edit permissions to `allow` and attempts a git commit.
- `dist/hooks/permission-auto-reply.js` replies `always` to activated OpenCode permission events.
- `dist/tools/loop-runner.js` launches `opencode serve` bound to `0.0.0.0` for its loop tool.
- `dist/util/msm-exec-runtime.js` runs registered project scripts through `npx tsx`.
- `package.json` has no `preinstall`, `install`, or `postinstall` hook.
- Global OpenCode registration in `bin/opencode-serenity-plugin.js` requires an explicit `install` command.
- No credential-harvesting paths or external exfiltration endpoint were found.
- Loop API calls target `http://127.0.0.1:${PORT}`; schema URLs are metadata only.
Source & flagged code
3 flagged · loading sourcePackage source references child process execution.
dist/init/init-wizard.jsView on unpkg · L17Package source invokes a package manager install command at runtime.
dist/util/msm-exec-runtime.jsView on unpkg · L45This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/tools/loop-runner.jsView on unpkg