AI Security Review
scanned 5d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface from npm install. Residual risk is a powerful, user-invoked Codex/OpenCode extension installer that enables hooks, MCP servers, agents, and autonomous Codex permissions.
Decision evidence
public snapshot- package.json has postinstall node postinstall.mjs lifecycle hook.
- postinstall.mjs executes opencode --version and removes matching ~/.cache/opencode package cache entries.
- packages/omo-codex/scripts/install-dist/install-local.mjs user-invoked installer writes ~/.codex/config.toml, plugins/cache, agents, and hook trust state.
- installer enables plugins/plugin_hooks/multi_agent and autonomous permissions via approval_policy="never" in Codex config.
- packages/omo-codex/plugin/.codex-plugin/plugin.json declares Codex plugin hooks and MCP servers.
- packages/omo-codex/plugin/.mcp.json includes remote MCP URLs https://mcp.grep.app and https://mcp.context7.com/mcp.
- No evidence postinstall writes Codex/Claude/MCP control-surface config or plants agent instructions.
- Codex installer is reached by explicit lazycodex/lazycodex-ai update/install CLI flow, not npm install import-time execution.
- Plugin payload is package-aligned and installed under ~/.codex/plugins/cache/sisyphuslabs/omo plus ~/.codex/agents.
- Network endpoints are documented telemetry/MCP/plugin functionality, not credential exfiltration.
- bin/oh-my-opencode.js only dispatches to platform binary or explicit installer commands.
- No credential harvesting, destructive filesystem behavior, or remote code download observed in inspected source.
Source & flagged code
13 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
bin/oh-my-opencode.jsView on unpkg · L4Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
bin/oh-my-opencode.jsView on unpkg · L4Package source references dynamic require/import behavior.
bin/oh-my-opencode.jsView on unpkg · L16Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
postinstall.mjsView on unpkg · L80Package source invokes a package manager install command at runtime.
packages/omo-codex/scripts/install-local-entrypoint.test.mjsView on unpkg · L64Package ships non-JavaScript build or shell helper files.
dist/skills/ast-grep/install.shView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
dist/skills/ast-grep/tests/smoke.ps1View on unpkgPackage contains source files above the static scanner size ceiling.
dist/cli-node/index.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
dist/cli-node/index.jsView on unpkg