registry  /  @sunerpy/opencode-kiro-auth  /  0.7.0

@sunerpy/opencode-kiro-auth@0.7.0

OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude models

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. After the user enables this OpenCode plugin, it can bootstrap the plugin's auth provider entry and synchronize local Kiro CLI credentials into its own database. The observed network destinations are AWS/Kiro service endpoints required for authentication and model requests; no concrete malicious exfiltration path was found.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenCode loads the configured plugin and invokes its config/auth flows; interactive login opens a browser.
Impact
Mutates OpenCode `auth.json` and duplicates locally available Kiro credentials into `kiro.db`, creating a sensitive agent-extension lifecycle surface.
Mechanism
first-party OpenCode auth bootstrap plus local Kiro credential synchronization
Rationale
Source inspection shows a package-aligned OpenCode/Kiro integration with automatic sensitive credential synchronization and first-party auth configuration mutation. It is not malicious under the stated boundary, but warrants a warning for the agent-extension lifecycle surface.
Evidence
package.jsondist/plugin.jsdist/plugin/auth-bootstrap.jsdist/plugin/sync/kiro-cli.jsdist/plugin/storage/sqlite.jsdist/core/auth/idc-auth-method.jsdist/constants.js~/.local/share/opencode/auth.json~/.config/opencode/kiro.dbKiro CLI SQLite database
Network endpoints5
prod.{{region}}.auth.desktop.kiro.dev/refreshTokenoidc.{{region}}.amazonaws.com/tokenq.{{region}}.amazonaws.com/generateAssistantResponseq.{{region}}.amazonaws.com/getUsageLimitsview.awsapps.com/api/user/info

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • `dist/plugin/auth-bootstrap.js` automatically adds a `kiro-auth` placeholder to OpenCode `auth.json` when a Kiro CLI DB exists.
  • `dist/plugin/sync/kiro-cli.js` reads Kiro CLI auth records and copies tokens/client credentials into the plugin database.
  • `dist/plugin/storage/sqlite.js` persists access and refresh tokens under the OpenCode config directory.
  • `dist/core/auth/idc-auth-method.js` runs a platform browser-open command during interactive device authorization.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook; `prepare` is Husky only.
  • Kiro CLI database access is explicitly `readonly` in `dist/plugin/sync/kiro-cli.js`.
  • Network constants target AWS/Kiro authentication and inference hosts in `dist/constants.js`; no unrelated collector endpoint was found.
  • The child-process use only opens the user-facing AWS device-login URL.
  • No eval, VM execution, remote payload loading, destructive filesystem behavior, or shell persistence was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 58 file(s), 296 KB of source, external domains: view.awsapps.com, your-company.awsapps.com

Source & flagged code

1 flagged · loading source
dist/plugin/storage/sqlite.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sunerpy/opencode-kiro-auth@0.5.1 matchedIdentity = npm:[redacted]:0.5.1 similarity = 0.564 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/plugin/storage/sqlite.jsView on unpkg

Findings

1 High2 Medium6 Low
HighPrevious Version Dangerous Deltadist/plugin/storage/sqlite.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License