AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User follows INSTALL.txt or enables the opencode plugin; runtime hooks activate during opencode chat/TUI use.
Impact
Can alter opencode plugin configuration when installed by an agent and can locally store/switch provider credentials for chat requests.
Mechanism
Explicit opencode plugin setup plus credential-balancing fetch hook
Rationale
This is not malicious by source inspection, but it is an explicit user-command AI-agent configuration mutation for an agent/plugin control surface and should be warned rather than silently allowed. No publish block is warranted because behavior is disclosed, package-aligned, and lacks concrete malicious execution or exfiltration.
Evidence
package.jsonREADME.mdINSTALL.txtdist/index.jsdist/tui/tui.js~/.config/opencode/opencode.jsonc~/.config/opencode/opencode.json~/.config/opencode/tui.jsonc~/.config/opencode/tui.json~/.config/opencode/balancer.sqlite~/.local/share/opencode/auth.json
Network endpoints6
registry.npmjs.org/-/package/api.github.com/copilot_internal/userapi.github.com/userapi.github.com/orgs/chatgpt.com/backend-api/wham/usageapi.openai.com/v1/organization/usage/completions
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- INSTALL.txt explicitly instructs agents to edit ~/.config/opencode/opencode.json[c] and tui.json[c] plugin arrays
- dist/index.js registers opencode plugin hooks and monkey-patches globalThis.fetch for tagged chat requests
- dist/index.js stores provider auth_json in balancer.sqlite and injects saved credentials into provider request headers
- dist/tui/tui.js reads opencode auth.json or OPENCODE_AUTH_CONTENT and saves detected provider credentials
Evidence against
- package.json has no preinstall/install/postinstall; prepare is husky and prepublishOnly builds only
- README.md discloses local credential store and opencode plugin behavior
- network calls are package-aligned usage/version checks to registry.npmjs.org, api.github.com, chatgpt.com, and api.openai.com
- dist/index.js cache removal is constrained to opencode packages cache and matching package/version
- TUI usage snapshots redact known credential fields before storage
- No evidence of credential exfiltration to attacker-controlled endpoints, shell execution, eval, persistence, or destructive behavior
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
167`)[0]??o,"info"),Error(`[balancer]
L168: ${o}`)},config:async(e)=>{xn(e)},"experimental.chat.messages.transform":async(e,r)=>{r.messages=r.messages.filter((o)=>{return!o.parts.some((a)=>{return a?.metadata?.[ot]===!0})})}...
L169:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L167Findings
3 Medium4 Low
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings