registry  /  @yibener/ralph-flow  /  2.1.4

@yibener/ralph-flow@2.1.4

Workflow automation plugin for opencode

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. On normal OpenCode plugin initialization, the package creates a global agent file and syncs globally discoverable skills. This is a first-party agent-extension lifecycle mutation, not an npm install-time hook.

Static reason
No blocking static signals were detected.
Trigger
Loading the plugin in OpenCode.
Impact
Makes package-provided prompts and a verifier agent available across projects; verifier permissions include web access and external-directory access.
Mechanism
Global OpenCode agent and skill registration.
Rationale
The package is not concretely malicious, but it mutates a broad AI-agent control surface at runtime by installing globally discoverable agent/skill content. Per policy this merits a warning rather than a block.
Evidence
package.jsondist/index.jsdist/setup.jsdist/engine.jsdist/check.js~/.config/opencode/agent/ralph-check.md~/.config/opencode/agent/ralph-check.md.ralph-flow-managed~/.config/opencode/skills/<project>/.opencode/agents/ralph-check.md<project>/.opencode/skills/

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` invokes `setup(directory)` on plugin initialization.
  • `dist/setup.js` writes global `~/.config/opencode/agent/ralph-check.md` plus a managed marker.
  • `dist/setup.js` copies bundled skills into `~/.config/opencode/skills/` on startup.
  • The installed agent permits `webfetch`, external directories, and selected test/run shell commands.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hooks.
  • No direct HTTP client, child-process, eval, dynamic code loading, or credential harvesting exists in `dist/*.js`.
  • Global files are package-owned/marker-guarded and user files with the same names are not overwritten.
  • No concrete exfiltration, destructive action, remote payload execution, or stealth persistence was found.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 199 KB of source

Source & flagged code

3 flagged · loading source
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/index.js` invokes `setup(directory)` on plugin initialization.

dist/index.jsView on unpkg
dist/setup.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/setup.js` writes global `~/.config/opencode/agent/ralph-check.md` plus a managed marker.

dist/setup.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/setup.js` copies bundled skills into `~/.config/opencode/skills/` on startup.

dist/setup.jsView on unpkg

Findings

5 Medium3 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/index.js
MediumAi Review Evidencedist/setup.js
MediumAi Review Evidencedist/setup.js
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings