registry  /  open-controller  /  2.0.0

open-controller@2.0.0

OpenCode plugin for Windows PC control via MCP

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. At OpenCode plugin startup, the package installs and configures a local Windows automation MCP dependency. It exposes arbitrary PowerShell execution and desktop screenshots to the hosting agent.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User enables or loads the OpenCode plugin.
Impact
A compromised or overly-permissive agent session could execute Windows commands, capture the desktop, and use the configured automation server.
Mechanism
First-party agent extension setup plus PowerShell and desktop-control tool registration.
Rationale
No concrete malicious chain is confirmed, but the package creates a high-impact local AI-agent control surface at plugin startup and installs a Python dependency without a separate user command. Treat as a warning for guarded extension-lifecycle risk rather than a publish block.
Evidence
package.jsondist/index.jsdist/updater.jsinstructions/WINDOWS_CONTROLLER.md~/.windows-mcp/mcp_runner.py

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • dist/index.js:68 installs `windows-mcp` through pip during plugin startup when absent.
  • dist/index.js:96 registers a local `windows-mcp` MCP server in OpenCode config.
  • dist/index.js:115 exposes `pc-exec`, which executes caller-supplied PowerShell.
  • dist/index.js:127 exposes full-desktop screenshot capture.
  • dist/index.js:172 injects bundled instructions into the agent system prompt.
Evidence against
  • package.json has no preinstall, install, or postinstall hook.
  • No credential harvesting, file upload, HTTP client, or exfiltration endpoint appears in runtime entrypoint.
  • The privileged tools match the declared Windows PC-control plugin purpose.
  • dist/updater.js performs npm self-update logic but is not imported or invoked by dist/index.js.
  • Instruction file contains operational guidance, not reviewer/prompt-injection or secret-exfiltration directives.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 12.1 KB of source

Source & flagged code

4 flagged · loading source
dist/updater.jsView file
1import { execSync, spawn } from "child_process"; L2: import { existsSync, readFileSync } from "fs";
High
Child Process

Package source references child process execution.

dist/updater.jsView on unpkg · L1
58windowsHide: true, L59: shell: "cmd.exe", L60: });
High
Shell

Package source references shell execution.

dist/updater.jsView on unpkg · L58
54try { L55: execSync(`npm install -g ${PKG_NAME} --silent --no-audit --no-fund --no-progress`, { L56: encoding: "utf8",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/updater.jsView on unpkg · L54
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = open-controller@1.1.9 matchedIdentity = npm:b3Blbi1jb250cm9sbGVy:1.1.9 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical3 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/updater.js
HighShelldist/updater.js
HighRuntime Package Installdist/updater.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings