registry  /  browser-code  /  0.2.0

browser-code@0.2.0

Browser Code — web content capture, research, and knowledge management agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code fetches an executable from the package's GitHub release and stores it in the package directory without integrity verification. A later explicit `browser-code` invocation executes that binary with the package-owned agent/MCP configuration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall; then explicit `browser-code` CLI invocation
Impact
A compromised or substituted release artifact would execute with the invoking user's privileges when the CLI is run.
Mechanism
unverified remote binary bootstrap plus bundled agent extension configuration
Rationale
Source inspection does not establish malicious intent or a concrete harmful chain, so blocking is not justified. The unverified lifecycle binary bootstrap and automatically selected agent configuration warrant a warning.
Evidence
package.jsonscripts/postinstall.jsbin/browser-code.cjs.browser-code/browser-code.jsoncharness/install-hooks.tsopencode/packages/opencode/src/lsp/server.tsopencode/packages/opencode/dist/opencode-<platform>-<arch>/bin/opencode
Network endpoints1
github.com/uuuuytgg/browser-code/releases/download

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `scripts/postinstall.js` automatically.
  • `scripts/postinstall.js` downloads a platform binary, writes it under `opencode/.../dist`, and marks it executable.
  • The postinstall downloader has no checksum, signature, or integrity verification.
  • `bin/browser-code.cjs` runs that downloaded binary and forces the bundled `.browser-code` agent config.
  • `.browser-code/browser-code.jsonc` enables package-provided MCP processes, including native executables and `npx` tools.
Evidence against
  • Postinstall targets the package's declared GitHub Releases path, not an unrelated endpoint.
  • Postinstall does not execute the downloaded binary or modify user/home/foreign agent configuration.
  • No source evidence shows credential harvesting, command-output exfiltration, destructive behavior, or stealth persistence.
  • `harness/install-hooks.ts` changes Git hooks only through an explicit user command, not lifecycle execution.
  • The flagged LSP downloads in `opencode/.../lsp/server.ts` are feature-triggered language-server setup, not install-time exfiltration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2,271 file(s), 14.6 MB of source, external domains: 127.0.0.1, accounts.x.ai, anoma.ly, api.anthropic.com, api.bilibili.com, api.cerebras.ai, api.cloudflare.com, api.deepinfra.com, api.deepseek.com, api.digitalocean.com, api.emailoctopus.com, api.example.com, api.fireworks.ai, api.github.com, api.githubcopilot.com, api.groq.com, api.honeycomb.io, api.kilo.ai, api.llmgateway.io, api.meuprovedor.com, api.minudbyder.dk, api.miproveedor.com, api.mistral.ai, api.mojdostawca.com, api.mojprovajder.com, api.monfournisseur.com, api.myprovider.com, api.npmjs.org, api.openai.com, api.opencode.ai, api.perplexity.ai, api.releases.hashicorp.com, api.saglayicim.com, api.together.xyz, api.venice.ai, api.x.ai, app.example.test, app.opencode.ai, applink.feishu.cn, auth.openai.com, auth.x.ai, browser-code.internal, cdn.example.com, chatgpt.com, cloud.digitalocean.com, community.chocolatey.org, company.ghe.com, console.opencode.ai, dashboard.stripe.com, debian.example

Source & flagged code

22 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
opencode/packages/llm/test/provider/bedrock-converse.test.tsView file
411patternName = aws_access_key severity = critical line = 411 matchedText = accessKe...LE",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

opencode/packages/llm/test/provider/bedrock-converse.test.tsView on unpkg · L411
411patternName = aws_access_key severity = critical line = 411 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in opencode/packages/llm/test/provider/bedrock-converse.test.ts

opencode/packages/llm/test/provider/bedrock-converse.test.tsView on unpkg · L411
bin/browser-code.cjsView file
3const path = require("path") L4: const { spawnSync } = require("child_process") L5:
High
Child Process

Package source references child process execution.

bin/browser-code.cjsView on unpkg · L3
2// browser-code CLI — delegates to platform-specific opencode binary L3: const path = require("path") L4: const { spawnSync } = require("child_process")
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/browser-code.cjsView on unpkg · L2
opencode/packages/core/src/shell.tsView file
18nu: { deny: true }, L19: powershell: { ps: true }, L20: pwsh: { ps: true },
High
Shell

Package source references shell execution.

opencode/packages/core/src/shell.tsView on unpkg · L18
opencode/packages/effect-drizzle-sqlite/src/internal/drizzle-utils.tsView file
31try { L32: return new Function("input", '"use strict"; return input;')(true) === true L33: } catch {
High
Eval

Package source references dynamic code evaluation.

opencode/packages/effect-drizzle-sqlite/src/internal/drizzle-utils.tsView on unpkg · L31
harness/build_index.tsView file
104for (const file of allFiles) { L105: const content = Bun.file(file).text(); L106: // We need to do this synchronously inside the transaction
Low
Weak Crypto

Package source references weak cryptographic algorithms.

harness/build_index.tsView on unpkg · L104
opencode/github/index.tsView file
9import { createOpencodeClient } from "@opencode-ai/sdk" L10: import { spawn } from "node:child_process" L11: import { setTimeout as sleep } from "node:timers/promises" ... L20: databaseId: string L21: body: string L22: author: GitHubAuthor ... L123: let shareId: string | undefined L124: let exitCode = 0 L125: type PromptFiles = Awaited<ReturnType<typeof getUserPrompt>>["promptFiles"] ... L150: if (useEnvShare() === false) return L151: if (!useEnvShare() && repoData.data.private) return L152: await client.session.share<true>({ path: session })
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

opencode/github/index.tsView on unpkg · L9
opencode/packages/opencode/src/lsp/server.tsView file
1import type { ChildProcessWithoutNullStreams } from "child_process" L2: import path from "path" ... L22: const run = (cmd: string[], opts: Process.RunOptions = {}) => Process.run(cmd, { ...opts, nothrow: true }) L23: const output = (cmd: string[], opts: Process.RunOptions = {}) => Process.text(cmd, { ...opts, nothrow: true }) L24: ... L117: root: NearestRoot( L118: ["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"], L119: ["deno.json", "deno.jsonc"], ... L129: env: { L130: ...process.env, L131: }, ... L182: if (flags.disableLspDownload) return
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

opencode/packages/opencode/src/lsp/server.tsView on unpkg · L1
1import type { ChildProcessWithoutNullStreams } from "child_process" L2: import path from "path" ... L22: const run = (cmd: string[], opts: Process.RunOptions = {}) => Process.run(cmd, { ...opts, nothrow: true }) L23: const output = (cmd: string[], opts: Process.RunOptions = {}) => Process.text(cmd, { ...opts, nothrow: true }) L24: ... L117: root: NearestRoot( L118: ["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"], L119: ["deno.json", "deno.jsonc"], ... L129: env: { L130: ...process.env, L131: }, ... L182: if (flags.disableLspDownload) return
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

opencode/packages/opencode/src/lsp/server.tsView on unpkg · L1
tools/mcp/bin/douyin-0.1.1/douyin.exeView file
path = tools/mcp/bin/douyin-0.1.1/douyin.exe kind = native_binary sizeBytes = 15746048 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

tools/mcp/bin/douyin-0.1.1/douyin.exeView on unpkg
opencode/patches/install-korean-ime-fix.shView file
path = opencode/patches/install-korean-ime-fix.sh kind = build_helper sizeBytes = 4769 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

opencode/patches/install-korean-ime-fix.shView on unpkg
tools/mcp/bin/douyin_0.1.1_windows_amd64.zipView file
path = tools/mcp/bin/douyin_0.1.1_windows_amd64.zip kind = high_entropy_blob sizeBytes = 6409801 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

tools/mcp/bin/douyin_0.1.1_windows_amd64.zipView on unpkg
path = tools/mcp/bin/douyin_0.1.1_windows_amd64.zip kind = compressed_blob sizeBytes = 6409801 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

tools/mcp/bin/douyin_0.1.1_windows_amd64.zipView on unpkg
path = tools/mcp/bin/douyin_0.1.1_windows_amd64.zip kind = nested_archive_needs_inspection sizeBytes = 6409801 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

tools/mcp/bin/douyin_0.1.1_windows_amd64.zipView on unpkg
opencode/packages/http-recorder/test/record-replay.test.tsView file
138patternName = google_api_key severity = high line = 138 matchedText = body: JS... }),
High
Secret Pattern

Google API key in opencode/packages/http-recorder/test/record-replay.test.ts

opencode/packages/http-recorder/test/record-replay.test.tsView on unpkg · L138
172patternName = generic_password severity = medium line = 172 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in opencode/packages/http-recorder/test/record-replay.test.ts

opencode/packages/http-recorder/test/record-replay.test.tsView on unpkg · L172
179patternName = generic_password severity = medium line = 179 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in opencode/packages/http-recorder/test/record-replay.test.ts

opencode/packages/http-recorder/test/record-replay.test.tsView on unpkg · L179
opencode/packages/opencode/test/server/auth.test.tsView file
47patternName = generic_password severity = medium line = 47 matchedText = expect(S...al({
Medium
Secret Pattern

Hardcoded password in opencode/packages/opencode/test/server/auth.test.ts

opencode/packages/opencode/test/server/auth.test.tsView on unpkg · L47
opencode/packages/opencode/test/server/httpapi-listen.test.tsView file
18patternName = generic_password severity = medium line = 18 matchedText = const au...t" }
Medium
Secret Pattern

Hardcoded password in opencode/packages/opencode/test/server/httpapi-listen.test.ts

opencode/packages/opencode/test/server/httpapi-listen.test.tsView on unpkg · L18

Findings

3 Critical8 High12 Medium6 Low
CriticalCritical Secretopencode/packages/llm/test/provider/bedrock-converse.test.ts
CriticalCommand Output Exfiltrationopencode/packages/opencode/src/lsp/server.ts
CriticalSecret Patternopencode/packages/llm/test/provider/bedrock-converse.test.ts
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/browser-code.cjs
HighShellopencode/packages/core/src/shell.ts
HighEvalopencode/packages/effect-drizzle-sqlite/src/internal/drizzle-utils.ts
HighCredential Exfiltrationopencode/github/index.ts
HighSandbox Evasion Gated Capabilityopencode/packages/opencode/src/lsp/server.ts
HighShips High Entropy Blobtools/mcp/bin/douyin_0.1.1_windows_amd64.zip
HighSecret Patternopencode/packages/http-recorder/test/record-replay.test.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/browser-code.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarytools/mcp/bin/douyin-0.1.1/douyin.exe
MediumShips Build Helperopencode/patches/install-korean-ime-fix.sh
MediumShips Compressed Blobtools/mcp/bin/douyin_0.1.1_windows_amd64.zip
MediumStructural Risk Force Deep Review
MediumSecret Patternopencode/packages/http-recorder/test/record-replay.test.ts
MediumSecret Patternopencode/packages/http-recorder/test/record-replay.test.ts
MediumSecret Patternopencode/packages/opencode/test/server/auth.test.ts
MediumSecret Patternopencode/packages/opencode/test/server/httpapi-listen.test.ts
LowScripts Present
LowWeak Cryptoharness/build_index.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiontools/mcp/bin/douyin_0.1.1_windows_amd64.zip