AI Security Review
scanned 7h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `agent-teamwork` CLI installs a first-party OpenCode extension into the user's home configuration. At runtime it launches local worker servers, copies local OpenCode auth into per-worker temporary state, and sends work through localhost APIs.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `npx agent-teamwork` or the package bin, then uses its OpenCode manager tools.
Impact
Changes the user's OpenCode plugin, agent, and permission configuration; spawned workers may use the user's existing OpenCode authentication under normal OpenCode permissions.
Mechanism
Explicit OpenCode extension installation and local authenticated worker orchestration.
Rationale
This is not concrete malicious behavior, but explicit user-command setup modifies an AI-agent control surface and creates authenticated worker processes. It warrants a warning rather than a publish block.
Evidence
package.jsoninstall.shopencode/plugins/agent-teamwork.tsopencode/plugins/agent-teamwork-scheduler.tsworker.jsonmanager.json~/.config/opencode/opencode.json~/.config/opencode/plugins/agent-teamwork.ts~/.config/opencode/plugins/agent-teamwork-scheduler.ts~/.config/opencode/worker.json~/.config/opencode/agents/manager.md~/.local/share/opencode/auth.json/tmp/oc-<port>/opencode/auth.json
Network endpoints1
127.0.0.1:<dynamic-port>
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `install.sh` explicitly writes `~/.config/opencode/opencode.json` and installs plugins/manager config.
- `opencode/plugins/agent-teamwork.ts` copies OpenCode `auth.json` into isolated `/tmp/oc-<port>` worker state.
- The plugin spawns local `opencode serve` worker processes and routes manager-controlled tasks to them.
Evidence against
- `package.json` `postinstall` only prints an instruction; it performs no mutation.
- All plugin HTTP calls target `127.0.0.1`; no external exfiltration endpoint is present.
- No remote payload loading, shell interpolation of user input, credential transmission, or destructive project-file behavior was found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = echo "agent-teamwork: chạy 'npx agent-teamwork' để cài vào ~/.config/opencode"
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkginstall.shView file
•path = install.sh
kind = build_helper
sizeBytes = 2991
magicHex = [redacted]
Medium
Findings
1 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings