AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked onboarding CLI writes a first-party OpenCode agent configuration and bundled extension files into the current project. Its embedded plugins run later during OpenCode startup to generate agent variants and local subagent state; no malicious data-exfiltration chain was found.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `npx opencode-onboard` or an explicit subcommand; embedded plugins activate when the resulting OpenCode project configuration loads.
Impact
Can alter `.opencode`, `.agents`, `AGENTS.md`, and related project workflow behavior; source shows no unconsented install-time execution or credential theft.
Mechanism
Explicit CLI-driven OpenCode extension installation and project-agent configuration mutation.
Rationale
No malicious package behavior was confirmed, but the package deliberately provisions and mutates an AI-agent extension/control surface and runs third-party setup commands when invoked. This fits a non-blocking lifecycle-risk warning rather than a clean or blocking verdict.
Evidence
package.jsonsrc/index.jssrc/steps/copy/index.jssrc/steps/copy/opencode-json.jssrc/steps/browser/index.jssrc/steps/optimization/memory.jssrc/utils/models-cache.jscontent/.opencode/plugins/ob-subagent-tiers.jscontent/.opencode/plugins/ob-subagent-monitor.js.opencode/opencode.json.opencode/package.json.opencode/tui.json.opencode/plugins/ob-subagent-tiers.js.opencode/plugins/ob-subagent-monitor.js.opencode/.ob-run.json.opencode/agents.agents/skillsAGENTS.mdskills-lock.json
Network endpoints3
models.dev/api.jsonlocalhost:3111localhost:3113
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/steps/copy/index.js` copies an OpenCode configuration bundle into the user’s project.
- `src/steps/copy/opencode-json.js` disables built-in OpenCode build/plan agents.
- `content/.opencode/plugins/ob-subagent-tiers.js` runs on OpenCode config load and creates/removes agent variant files.
- `src/steps/browser/index.js` invokes `npx @different-ai/opencode-browser install` and auto-answers installer prompts.
- `src/steps/optimization/*` installs/configures optional OpenCode plugins, MCP tools, and skills after CLI execution.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `src/index.js` activates workflows only after the user runs the CLI.
- No inspected source harvests credentials, reads `.env` files, or exfiltrates project data.
- No hidden shell payload, eval/vm use, remote code download logic, or destructive broad filesystem behavior was found.
- `src/utils/models-cache.js` only fetches model metadata from `https://models.dev/api.json` with a local cache fallback.
Behavioral surface
FilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcesrc/utils/exec.jsView file
1import chalk from 'chalk'
L2: import { execa } from 'execa'
L3: import ora from 'ora'
High
src/steps/optimization/index.jsView file
151try {
L152: const result = await execa('npx', ['skills', 'experimental_install', '--yes'], {
L153: cwd: process.cwd(),
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/steps/optimization/index.jsView on unpkg · L151Findings
2 High1 Medium3 Low
HighShellsrc/utils/exec.js
HighRuntime Package Installsrc/steps/optimization/index.js
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings