AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. At OpenCode plugin startup, the package installs and configures a local Windows automation MCP dependency. It exposes arbitrary PowerShell execution and desktop screenshots to the hosting agent.
Decision evidence
public snapshot- dist/index.js:68 installs `windows-mcp` through pip during plugin startup when absent.
- dist/index.js:96 registers a local `windows-mcp` MCP server in OpenCode config.
- dist/index.js:115 exposes `pc-exec`, which executes caller-supplied PowerShell.
- dist/index.js:127 exposes full-desktop screenshot capture.
- dist/index.js:172 injects bundled instructions into the agent system prompt.
- package.json has no preinstall, install, or postinstall hook.
- No credential harvesting, file upload, HTTP client, or exfiltration endpoint appears in runtime entrypoint.
- The privileged tools match the declared Windows PC-control plugin purpose.
- dist/updater.js performs npm self-update logic but is not imported or invoked by dist/index.js.
- Instruction file contains operational guidance, not reviewer/prompt-injection or secret-exfiltration directives.
Source & flagged code
4 flagged · loading sourcePackage source invokes a package manager install command at runtime.
dist/updater.jsView on unpkg · L54This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg