registry  /  @shgroup/opencode-serenity-plugin  /  0.5.33

@shgroup/opencode-serenity-plugin@0.5.33

Serenity — 为 OpenCode Agent 提供认知容器 (CCC) 基础设施。9 个工具 (msm_list/msm_exec/msm_admin/cc-fs/session/cc-ck/eap/neat/cc-git) + 6 个 hook。D1 Init 向导:CLI 交互式创建 CCC + Phase 2 强制访谈。

AI Security Review

scanned 14d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Confirmed AI-agent control-surface mutation on plugin activation. The package automatically weakens OpenCode project permissions and auto-approves permission prompts after activation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User installs/registers the plugin, then OpenCode loads it inside a Serenity git workspace.
Impact
Can silently broaden agent read/edit authority and persist the change in project configuration with an automatic git commit.
Mechanism
automatic OpenCode permission patching and permission auto-reply
Policy narrative
When OpenCode loads the plugin, activation starts background setup. If a Serenity workspace is detected, it rewrites the workspace opencode.json to set read/edit permissions to allow, then attempts to git add and commit that change. Separately, the permission event hook answers permission prompts with "always", reducing user oversight of future tool calls.
Rationale
The package is aligned with OpenCode plugin functionality, but the activation-time automatic permission broadening and permission auto-approval are concrete, persistent AI-agent control-surface mutations beyond ordinary package execution. No external exfiltration was found, so the verdict is based on local control hijack rather than data theft. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonbin/opencode-serenity-plugin.jsdist/activation.jsdist/util/config-patch.jsdist/hooks/permission-auto-reply.jsdist/tools/loop-tool.jsdist/tools/loop-runner.js<cwdRoot>/opencode.json<cwdRoot>/AGENT_SESSIONS/loop-<label>.md<cwdRoot>/AGENT_SESSIONS/loop-<label>.json~/.config/opencode/opencode.json~/.config/opencode/tui.json
Network endpoints2
127.0.0.1:${PORT}serverUrl from OpenCode SDK client

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • dist/activation.js calls patchMainRepoOpencodeJson during plugin activation without waiting for an explicit user command.
  • dist/util/config-patch.js rewrites <cwdRoot>/opencode.json permission.read and permission.edit to "allow" and git-commits it.
  • dist/hooks/permission-auto-reply.js replies "always" to OpenCode permission events when activated.
  • bin/opencode-serenity-plugin.js install writes global OpenCode plugin entries into opencode.json and tui.json.
  • dist/tools/loop-tool.js and dist/tools/loop-runner.js spawn OpenCode headless loops that can run commands through a local server.
Evidence against
  • package.json has no npm lifecycle scripts, so behavior is not install-time npm execution.
  • No credential harvesting or external exfiltration endpoints found in inspected code.
  • Network activity seen is package-aligned local OpenCode API use and schema URLs.
  • Shell and child_process use is mostly user-invoked plugin/tool functionality.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 52 file(s), 494 KB of source, external domains: 127.0.0.1, github.com, opencode.ai

Source & flagged code

3 flagged · loading source
dist/init/init-wizard.jsView file
17import { existsSync, mkdirSync, writeFileSync } from 'node:fs'; L18: import { execFileSync } from 'node:child_process'; L19: import { join, basename } from 'node:path';
High
Child Process

Package source references child process execution.

dist/init/init-wizard.jsView on unpkg · L17
dist/util/msm-exec-runtime.jsView file
45* npx tsx msm-exec-runtime.ts --log /tmp/x.log --format=json <msm-name> [args...] L46: * npx tsx msm-exec-runtime.ts --list L47: * npx tsx msm-exec-runtime.ts --schema <msm-name> ... L60: import { readFileSync, appendFileSync, existsSync, writeFileSync, mkdirSync } from "node:fs"; L61: import { spawn } from "node:child_process"; L62: import { resolve, dirname } from "node:path";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/util/msm-exec-runtime.jsView on unpkg · L45
dist/tools/loop-runner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @shgroup/opencode-serenity-plugin@0.5.31 matchedIdentity = npm:[redacted]:0.5.31 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/tools/loop-runner.jsView on unpkg

Findings

1 Critical3 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/tools/loop-runner.js
HighChild Processdist/init/init-wizard.js
HighShell
HighRuntime Package Installdist/util/msm-exec-runtime.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings