AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs an interactive or `bobby go` session selecting `opencode`.
Impact
A user-selected plugin identifier and API key can be persisted in a foreign AI CLI configuration; downstream OpenCode behavior controls any plugin resolution.
Mechanism
Explicit OpenCode configuration mutation and credentialed CLI launch.
Rationale
No concrete malicious or install-time behavior was found. Warn because explicit user-triggered mutation of a foreign AI CLI configuration can enable downstream plugin execution with persisted credentials.
Evidence
package.jsonbin/bobby.jssrc/index.jssrc/config.jssrc/launcher.jssrc/server.jssrc/accounts.jssrc/models.jssrc/providers.jssrc/templates.js~/.bobbytools/config.json~/.config/opencode/opencode.json
Network endpoints2
api.openai.com/v1openrouter.ai/api/v1
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/launcher.js` writes API keys and provider settings to `~/.config/opencode/opencode.json`.
- That write occurs when the user explicitly launches an `opencode` session.
- `src/providers.js` lets the user set an arbitrary `opencodeNpm` plugin identifier, later copied into OpenCode config.
- `src/launcher.js` runs a user-selected CLI command with configured credentials in environment variables.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Entrypoint `bin/bobby.js` only calls the interactive CLI main function.
- Config persistence is scoped to `~/.bobbytools`; no broad credential harvesting was found.
- Network requests target configured AI providers for model checks, tests, and the explicit local router.
- No eval, VM, native loading, hidden payload, destructive action, or external credential exfiltration found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = bobbytools@2.0.3
matchedIdentity = npm:Ym9iYnl0b29scw:2.0.3
similarity = 0.800
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/index.jsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltasrc/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings