registry  /  @thelioo/opencode-balancer  /  0.2.11

@thelioo/opencode-balancer@0.2.11

Account balancer plugin for opencode.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package is an opencode plugin that manages local credentials, patches fetch for selected provider requests, and includes explicit setup instructions for adding itself to opencode configs.

Static reason
No blocking static signals were detected.
Trigger
User enables the opencode plugin or follows INSTALL.txt setup; runtime hooks activate inside opencode.
Impact
Can read/save opencode provider credentials locally and set opencode native auth for chosen accounts; no evidence of theft, stealth persistence, or broad unconsented install-time mutation.
Mechanism
First-party opencode plugin credential switching and provider usage fetching
Rationale
Source inspection shows a disclosed opencode account-balancer plugin with credential-local storage, provider request credential switching, usage API calls, and explicit user/agent setup instructions, but no install-time hook, unrelated exfiltration, remote payload execution, or destructive behavior. Because it asks agents to modify an AI-agent control surface and handles credentials, warning is appropriate rather than blocking.
Evidence
package.jsonREADME.mdINSTALL.txtdist/index.jsdist/server/index.tsdist/server/fetch-patch.tsdist/server/auth-watcher.tsdist/server/cache-update.tsdist/server/native.tsdist/core/usage/redact.tsdist/core/usage/providers/openai.tsdist/core/usage/providers/copilot.ts~/.config/opencode/balancer.sqlite$OPENCODE_CONFIG_DIR/balancer.sqlite~/.local/share/opencode/auth.json$XDG_DATA_HOME/opencode/auth.json~/.config/opencode/opencode.jsonc~/.config/opencode/opencode.json~/.config/opencode/tui.jsonc~/.config/opencode/tui.jsonopencode cache packages sandbox for @thelioo/opencode-balancer@latest
Network endpoints8
registry.npmjs.org/-/package/${encodeURIComponent(packageName)}/dist-tagschatgpt.com/backend-api/wham/usageapi.openai.com/v1/organization/usage/completionsapi.github.com/copilot_internal/userapi.github.com/userapi.github.com/users/${encodeURIComponent(login)}/settings/billing/premium_request/usageapi.github.com/users/${encodeURIComponent(login)}/settings/billing/usage/summary?product=copilotapi.github.com/orgs/${encodeURIComponent(githubOrg)}/copilot/billing

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • INSTALL.txt instructs an agent to add this package to opencode server and TUI plugin arrays.
  • dist/server/fetch-patch.ts monkey-patches globalThis.fetch to inject selected saved account credentials into opencode provider requests.
  • dist/server/auth-watcher.ts reads opencode native auth content/auth.json and stores changed credentials as pending/local accounts.
  • dist/server/cache-update.ts fetches npm dist-tags and may rmSync only this package's stale opencode @latest cache sandbox.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hook; prepare/prepublishOnly are development/publish scripts.
  • README.md and code behavior are aligned with an opencode account balancer plugin and disclose local credential storage.
  • Network calls are package-aligned: provider usage APIs and npm registry version check, with no unrelated exfiltration endpoint seen.
  • dist/core/usage/redact.ts redacts credential-looking keys and current account secrets before saving usage snapshots.
  • Cache deletion is path-checked under opencode cache packages and validates package name/version before removal.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 229 KB of source, external domains: api.github.com, api.openai.com, chatgpt.com, github.com, registry.npmjs.org

Source & flagged code

1 flagged · loading source
dist/index.jsView file
158`)[0]??o,"info"),Error(`[balancer] L159: ${o}`)},config:async(e)=>{xn(e)},"experimental.chat.messages.transform":async(e,r)=>{r.messages=r.messages.filter((o)=>{return!o.parts.some((a)=>{return a?.metadata?.[et]===!0})})}... L160:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L158

Findings

3 Medium5 Low
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings