AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The plugin fetches sponsor content and optional publisher statistics when loaded by OpenCode, and opens URLs only for sign-in or an explicit sponsor click.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hook.
- tui.js exports an OpenCode TUI plugin; runtime behavior starts through its tui callback.
- Network calls target configured ENTRACTE_API, defaulting to https://api.entracte.mbn.dev.
- The only credential file is this plugin's ~/.config/entracte/credentials.json machine token.
- spawn only launches the platform URL opener for sign-in or a clicked sponsor link.
- No eval, dynamic module loading, shell command construction, harvesting, or destructive traversal found.
Source & flagged code
3 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
tui.jsView on unpkg · L7Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
tui.jsView on unpkg · L7