AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `opencode-onboard` or one of its onboarding subcommands.
Impact
Can enable MCP/plugins, create or alter project AI-agent files, and install global npm tools.
Mechanism
User-invoked agent configuration and external tool installation.
Rationale
Not malicious: all observed mutations are reachable from explicit CLI workflows and there is no concrete exfiltration or covert execution chain. Warn because it configures agent capabilities and invokes third-party installers, including global installs.
Evidence
package.jsonsrc/index.jssrc/steps/optimization/memory.jssrc/steps/browser/index.jssrc/steps/openspec/index.jssrc/utils/models-cache.js.opencode/opencode.json.opencode/package.json.opencode/tui.json.opencode/opencode-quota/quota.json.opencode/commands.opencode/skills.agents/skillsopencode.jsonc~/.config/opencode-onboard/models-cache.json
Network endpoints3
models.dev/api.jsonlocalhost:3111localhost:3113
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/steps/optimization/memory.js` globally installs agentmemory and enables an MCP entry in `.opencode/opencode.json`.
- `src/steps/browser/index.js` runs `npx @different-ai/opencode-browser install` and auto-answers plugin/config prompts.
- `src/steps/openspec/index.js` installs OpenSpec globally and initializes it with `--force`.
- `src/steps/clean/index.js` deletes user-selected existing AI configuration files.
- `src/utils/models-cache.js` fetches model metadata from `https://models.dev/api.json`.
Evidence against
- `package.json` contains no preinstall, install, or postinstall lifecycle hook.
- `src/index.js` runs onboarding only through the explicit CLI entrypoint.
- No source evidence of credential harvesting, environment-secret collection, or exfiltration.
- No eval, VM execution, obfuscated payload, or arbitrary remote-code loader was found.
- Shell commands use fixed command names and argument arrays via `execa`.
Behavioral surface
FilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcesrc/utils/exec.jsView file
1import chalk from 'chalk'
L2: import { execa } from 'execa'
L3: import ora from 'ora'
High
src/steps/optimization/index.jsView file
151try {
L152: const result = await execa('npx', ['skills', 'experimental_install', '--yes'], {
L153: cwd: process.cwd(),
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/steps/optimization/index.jsView on unpkg · L151Findings
2 High1 Medium3 Low
HighShellsrc/utils/exec.js
HighRuntime Package Installsrc/steps/optimization/index.js
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings