registry  /  opencode-onboard  /  1.3.4

opencode-onboard@1.3.4

Prepare any codebase for AI. Wires OpenCode, OpenSpec, codegraph, and agentmemory into a multi-agent development workflow powered by native parallel subagents.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked onboarding CLI writes a first-party OpenCode agent configuration and bundled extension files into the current project. Its embedded plugins run later during OpenCode startup to generate agent variants and local subagent state; no malicious data-exfiltration chain was found.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `npx opencode-onboard` or an explicit subcommand; embedded plugins activate when the resulting OpenCode project configuration loads.
Impact
Can alter `.opencode`, `.agents`, `AGENTS.md`, and related project workflow behavior; source shows no unconsented install-time execution or credential theft.
Mechanism
Explicit CLI-driven OpenCode extension installation and project-agent configuration mutation.
Rationale
No malicious package behavior was confirmed, but the package deliberately provisions and mutates an AI-agent extension/control surface and runs third-party setup commands when invoked. This fits a non-blocking lifecycle-risk warning rather than a clean or blocking verdict.
Evidence
package.jsonsrc/index.jssrc/steps/copy/index.jssrc/steps/copy/opencode-json.jssrc/steps/browser/index.jssrc/steps/optimization/memory.jssrc/utils/models-cache.jscontent/.opencode/plugins/ob-subagent-tiers.jscontent/.opencode/plugins/ob-subagent-monitor.js.opencode/opencode.json.opencode/package.json.opencode/tui.json.opencode/plugins/ob-subagent-tiers.js.opencode/plugins/ob-subagent-monitor.js.opencode/.ob-run.json.opencode/agents.agents/skillsAGENTS.mdskills-lock.json
Network endpoints3
models.dev/api.jsonlocalhost:3111localhost:3113

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/steps/copy/index.js` copies an OpenCode configuration bundle into the user’s project.
  • `src/steps/copy/opencode-json.js` disables built-in OpenCode build/plan agents.
  • `content/.opencode/plugins/ob-subagent-tiers.js` runs on OpenCode config load and creates/removes agent variant files.
  • `src/steps/browser/index.js` invokes `npx @different-ai/opencode-browser install` and auto-answers installer prompts.
  • `src/steps/optimization/*` installs/configures optional OpenCode plugins, MCP tools, and skills after CLI execution.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `src/index.js` activates workflows only after the user runs the CLI.
  • No inspected source harvests credentials, reads `.env` files, or exfiltrates project data.
  • No hidden shell payload, eval/vm use, remote code download logic, or destructive broad filesystem behavior was found.
  • `src/utils/models-cache.js` only fetches model metadata from `https://models.dev/api.json` with a local cache fallback.
Behavioral surface
Source
FilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 103 KB of source, external domains: github.com, models.dev, opencode.ai

Source & flagged code

2 flagged · loading source
src/utils/exec.jsView file
1import chalk from 'chalk' L2: import { execa } from 'execa' L3: import ora from 'ora'
High
Shell

Package source references shell execution.

src/utils/exec.jsView on unpkg · L1
src/steps/optimization/index.jsView file
151try { L152: const result = await execa('npx', ['skills', 'experimental_install', '--yes'], { L153: cwd: process.cwd(),
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/steps/optimization/index.jsView on unpkg · L151

Findings

2 High1 Medium3 Low
HighShellsrc/utils/exec.js
HighRuntime Package Installsrc/steps/optimization/index.js
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings