registry  /  opencode-mission  /  0.4.0

opencode-mission@0.4.0

OpenCode plugin that enables autonomous mission-driven agent mode with 4-state machine, 3-dimension budget (turn/token/wallclock), structured 4-dimension verification, and interrupt-aware auto-pause.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code mutates a user-level AI-agent control surface by installing and registering an OpenCode plugin. The plugin then gains OpenCode hooks/tools capable of prompt injection, autonomous continuation, and subagent configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or global install runs postinstall; OpenCode startup loads the registered plugin.
Impact
The package is automatically loaded by OpenCode and can alter agent prompts, commands, hooks, and autonomous session behavior without an explicit platform-mediated install step.
Mechanism
unconsented lifecycle registration into OpenCode config
Policy narrative
On installation, npm runs scripts/postinstall.mjs, which copies the bundled plugin into ~/.config/opencode/plugins and edits ~/.config/opencode/opencode.json to load it. When OpenCode starts, dist/index.js registers mission tools, command templates, system prompt transforms, chat hooks, and continuation hooks that can steer agent behavior across turns. This is package-aligned but delivered through an unconsented lifecycle mutation of a broad user-level AI-agent control surface.
Rationale
Source inspection confirms install-time writes to OpenCode's home config and plugin registry, followed by agent control hooks in the plugin bundle. Under the lifecycle control-surface policy, that unconsented npm install mutation is blockable even without classic malware indicators.
Evidence
package.jsonscripts/postinstall.mjsscripts/postuninstall.mjsdist/index.jsREADME.en.md~/.config/opencode/plugins/opencode-mission.js~/.config/opencode/opencode.json~/.config/opencode/missions.json~/.config/opencode/missions/debug.log

Decision evidence

public snapshot
AI called this Malicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall and postuninstall lifecycle scripts.
  • scripts/postinstall.mjs copies dist/index.js into the user's opencode plugins directory during install.
  • scripts/postinstall.mjs creates or rewrites ~/.config/opencode/opencode.json to add ./plugins/opencode-mission.js.
  • dist/index.js registers OpenCode tools/hooks, system prompt transforms, command templates, and a mission-verify subagent.
  • dist/index.js can inject mission instructions into chat/system prompts and auto-continue sessions via client.session.promptAsync.
Evidence against
  • No credential harvesting or exfiltration endpoints found in package source.
  • No child_process, eval, vm, native addon, or remote code loading found.
  • README.en.md documents the automatic OpenCode config mutation and manual install path.
  • Lifecycle behavior is package-aligned with an OpenCode plugin, not a typosquat or unrelated payload.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
WildcardDependency
scanned 3 file(s), 74.3 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings