registry  /  opencode-rules-md  /  0.8.3

opencode-rules-md@0.8.3

OpenCode plugin that discovers and injects markdown rules into system prompts

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. At OpenCode plugin runtime, it reads user-selected/project rule files and injects matching content into system prompts; it stores only rule-match state in its own OpenCode state directory.

Static reason
No blocking static signals were detected.
Trigger
OpenCode loads the plugin and processes chat, tool, or system-transform hooks.
Impact
Expected plugin behavior; discovered Markdown rules can influence OpenCode prompts by design, with no confirmed exfiltration or foreign control-surface mutation.
Mechanism
Rule discovery/filtering, prompt augmentation, and package-owned session-state persistence.
Rationale
Direct inspection shows an OpenCode rules plugin with no install-time execution or outbound network behavior. Its file write is constrained to package-owned session state, and its Git subprocess is a fixed `execFile` branch lookup.
Evidence
package.jsonsrc/index.tssrc/runtime.tssrc/rule-discovery.tssrc/active-rules-state.tssrc/git-branch.ts.opencode/rules/**/*.md.opencode/rules/**/*.mdc~/.config/opencode/rules/**/*.md~/.opencode/state/opencode-rules-md/<sessionId>.json

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/index.ts` registers OpenCode plugin hooks that inject discovered rule text into chat system prompts.
  • `src/active-rules-state.ts` writes per-session matched rule paths under `~/.opencode/state/opencode-rules-md`.
  • `src/git-branch.ts` uses `execFile` to obtain the current project Git branch.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • No fetch, HTTP client, socket, or network request API appears in shipped `src` or `tui` source.
  • Rule discovery in `src/rule-discovery.ts` reads configured/project Markdown rule directories; it does not modify them.
  • State writes validate session IDs and are limited to the package-owned OpenCode state directory.
  • `src/runtime-context.ts` reads environment variables only to identify CI/config locations.
  • No eval, Function, dynamic loading, shell command string execution, credential harvesting, or destructive file operation was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 171 KB of source

Source & flagged code

3 flagged · loading source
src/index.tsView file
Published source reference
Low
Ai Review Evidence

`src/index.ts` registers OpenCode plugin hooks that inject discovered rule text into chat system prompts.

src/index.tsView on unpkg
src/active-rules-state.tsView file
Published source reference
Low
Ai Review Evidence

`src/active-rules-state.ts` writes per-session matched rule paths under `~/.opencode/state/opencode-rules-md`.

src/active-rules-state.tsView on unpkg
src/git-branch.tsView file
Published source reference
Low
Ai Review Evidence

`src/git-branch.ts` uses `execFile` to obtain the current project Git branch.

src/git-branch.tsView on unpkg

Findings

1 Medium5 Low
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowAi Review Evidencesrc/index.ts
LowAi Review Evidencesrc/active-rules-state.ts
LowAi Review Evidencesrc/git-branch.ts