registry  /  drive-coding  /  0.17.0

drive-coding@0.17.0

AI-powered coding assistant — single-command server + web UI for ACP coding agents

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Running the CLI starts a local coding-agent server and spawns OpenCode sessions. It injects the shipped prompt plugin into each spawned OpenCode process; the plugin alters system prompts. No install-time attack or unconsented foreign agent-config mutation was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `drive-coding` and creates an OpenCode agent session.
Impact
The package can influence spawned agent behavior and, if exposed beyond loopback or configured broadly, offers local filesystem browsing and credentialed TTS proxying.
Mechanism
Runtime OpenCode prompt-plugin injection through child-process environment configuration.
Rationale
Source inspection does not support a malicious verdict, but confirms a package-owned runtime agent-control capability that warrants warning under the stated policy. Scanner findings for bundled models, WASM, and minified frontend code do not establish malware.
Evidence
package.jsondist/drive-coding.jsplugins/prompt-injector.tsREADME.md
Network endpoints2
generativelanguage.googleapis.comapi.elevenlabs.io

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/drive-coding.js` spawns an OpenCode agent and injects a package plugin through `OPENCODE_CONFIG_CONTENT`.
  • `plugins/prompt-injector.ts` appends backend-supplied text to every OpenCode system prompt.
  • The plugin can write complete system prompts when `PROMPT_INJECTOR_DEBUG_PATH` is explicitly set.
  • `/api/fs/browse` can list filesystem paths; unrestricted unless `FS_BROWSE_ALLOWED_BASE` is configured.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • No source evidence of credential harvesting, remote payload download, shell-eval, or covert exfiltration.
  • The server defaults to loopback `127.0.0.1` and user-invoked CLI execution.
  • Agent configuration is supplied to the spawned child environment rather than mutating a foreign config file.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 30 file(s), 2.34 MB of source, external domains: aiplatform.googleapis.com, api.elevenlabs.io, be.example.com, cdnjs.cloudflare.com, docs.cloud.google.com, docs.expo.dev, dummy.com, generativelanguage.googleapis.com, github.com, json-schema.org, opencode.ai, semver.org, svelte.dev, web.dev, www.w3.org
Oversized source lightweight scan
dist/drive-coding.js4.53 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalCryptoShellWebSocketHighEntropyStringsUrlStringsapi.elevenlabs.iogenerativelanguage.googleapis.comgithub.comjson-schema.orgopencode.ai

Source & flagged code

7 flagged · loading source
frontend-dist/_app/immutable/chunks/SrseV9LB.jsView file
40Left: ${e} L41: Right: ${n}`,_l=M({kind:"unit",hasAssociatedError:!0,keys:{unit:{preserveUndefined:!0,serialize:e=>e instanceof Date?e.toISOString():ge(e)}},normalize:e=>e,defaults:{description:e=... L42: ${o},
Medium
Dynamic Require

Package source references dynamic require/import behavior.

frontend-dist/_app/immutable/chunks/SrseV9LB.jsView on unpkg · L40
4${e[e.length-1]} L5: }`)}}};class ue{constructor(n,...[t]){return Object.assign(Object.setPrototypeOf(n.bind((t==null?void 0:t.bind)??this),this.constructor.prototype),t==null?void 0:t.attach)}}const q... L6: `)[2])==null?void 0:n.trim())||"").match(/\(?(.+?)(?::\d+:\d+)?\)?$/))==null?void 0:t[1])||"unknown").replace(/^file:\/\//,"")}catch{return"unknown"}};var Ur;const Mo=((Ur=globalTh...
Low
Eval

Package source references a known benign dynamic code generation pattern.

frontend-dist/_app/immutable/chunks/SrseV9LB.jsView on unpkg · L4
frontend-dist/_app/immutable/nodes/0.D_beALrd.jsView file
42contains invisible/control Unicode U+202A (left-to-right embedding) Output ONLY the Hebrew sentence (no quotes, no markdown).`}const HN=/[.!?]\s*$|\n\s*$/;function ZN(t,e={}){const n=e.minChars??20,o=e.maxChars??200,i=e.locale??"he";if(t=t.replace(/[<U+200E><U+200F><U+202A>-<U+202E><U+2066>-<U+2069>]/g,""),
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

frontend-dist/_app/immutable/nodes/0.D_beALrd.jsView on unpkg · L42
frontend-dist/_app/immutable/assets/ort-wasm-simd-threaded.jsep.CyqnNavA.wasmView file
path = frontend-dist/_app/immutable/assets/ort-wasm-simd-threaded.jsep.CyqnNavA.wasm kind = wasm_module sizeBytes = 26239907 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

frontend-dist/_app/immutable/assets/ort-wasm-simd-threaded.jsep.CyqnNavA.wasmView on unpkg
frontend-dist/wake-word/models/hey_mycroft_v0.1.onnxView file
path = frontend-dist/wake-word/models/hey_mycroft_v0.1.onnx kind = high_entropy_blob sizeBytes = 857691 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

frontend-dist/wake-word/models/hey_mycroft_v0.1.onnxView on unpkg
dist/drive-coding.jsView file
path = dist/drive-coding.js kind = oversized_source_file sizeBytes = 4752921 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/drive-coding.jsView on unpkg
path = dist/drive-coding.js kind = oversized_cli_entrypoint sizeBytes = 4752921 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/drive-coding.jsView on unpkg

Findings

1 Critical2 High7 Medium7 Low
CriticalTrojan Source Unicodefrontend-dist/_app/immutable/nodes/0.D_beALrd.js
HighShips High Entropy Blobfrontend-dist/wake-word/models/hey_mycroft_v0.1.onnx
HighOversized Source Filedist/drive-coding.js
MediumDynamic Requirefrontend-dist/_app/immutable/chunks/SrseV9LB.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Modulefrontend-dist/_app/immutable/assets/ort-wasm-simd-threaded.jsep.CyqnNavA.wasm
MediumOversized Cli Entrypointdist/drive-coding.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalfrontend-dist/_app/immutable/chunks/SrseV9LB.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings