AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package is an opencode plugin that manages local credentials, patches fetch for selected provider requests, and includes explicit setup instructions for adding itself to opencode configs.
Static reason
No blocking static signals were detected.
Trigger
User enables the opencode plugin or follows INSTALL.txt setup; runtime hooks activate inside opencode.
Impact
Can read/save opencode provider credentials locally and set opencode native auth for chosen accounts; no evidence of theft, stealth persistence, or broad unconsented install-time mutation.
Mechanism
First-party opencode plugin credential switching and provider usage fetching
Rationale
Source inspection shows a disclosed opencode account-balancer plugin with credential-local storage, provider request credential switching, usage API calls, and explicit user/agent setup instructions, but no install-time hook, unrelated exfiltration, remote payload execution, or destructive behavior. Because it asks agents to modify an AI-agent control surface and handles credentials, warning is appropriate rather than blocking.
Evidence
package.jsonREADME.mdINSTALL.txtdist/index.jsdist/server/index.tsdist/server/fetch-patch.tsdist/server/auth-watcher.tsdist/server/cache-update.tsdist/server/native.tsdist/core/usage/redact.tsdist/core/usage/providers/openai.tsdist/core/usage/providers/copilot.ts~/.config/opencode/balancer.sqlite$OPENCODE_CONFIG_DIR/balancer.sqlite~/.local/share/opencode/auth.json$XDG_DATA_HOME/opencode/auth.json~/.config/opencode/opencode.jsonc~/.config/opencode/opencode.json~/.config/opencode/tui.jsonc~/.config/opencode/tui.jsonopencode cache packages sandbox for @thelioo/opencode-balancer@latest
Network endpoints8
registry.npmjs.org/-/package/${encodeURIComponent(packageName)}/dist-tagschatgpt.com/backend-api/wham/usageapi.openai.com/v1/organization/usage/completionsapi.github.com/copilot_internal/userapi.github.com/userapi.github.com/users/${encodeURIComponent(login)}/settings/billing/premium_request/usageapi.github.com/users/${encodeURIComponent(login)}/settings/billing/usage/summary?product=copilotapi.github.com/orgs/${encodeURIComponent(githubOrg)}/copilot/billing
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- INSTALL.txt instructs an agent to add this package to opencode server and TUI plugin arrays.
- dist/server/fetch-patch.ts monkey-patches globalThis.fetch to inject selected saved account credentials into opencode provider requests.
- dist/server/auth-watcher.ts reads opencode native auth content/auth.json and stores changed credentials as pending/local accounts.
- dist/server/cache-update.ts fetches npm dist-tags and may rmSync only this package's stale opencode @latest cache sandbox.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hook; prepare/prepublishOnly are development/publish scripts.
- README.md and code behavior are aligned with an opencode account balancer plugin and disclose local credential storage.
- Network calls are package-aligned: provider usage APIs and npm registry version check, with no unrelated exfiltration endpoint seen.
- dist/core/usage/redact.ts redacts credential-looking keys and current account secrets before saving usage snapshots.
- Cache deletion is path-checked under opencode cache packages and validates package name/version before removal.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
158`)[0]??o,"info"),Error(`[balancer]
L159: ${o}`)},config:async(e)=>{xn(e)},"experimental.chat.messages.transform":async(e,r)=>{r.messages=r.messages.filter((o)=>{return!o.parts.some((a)=>{return a?.metadata?.[et]===!0})})}...
L160:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L158Findings
3 Medium5 Low
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings