registry  /  opencode-rules-md  /  0.8.5

opencode-rules-md@0.8.5

OpenCode plugin that discovers and injects markdown rules into system prompts

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `omd` or `omd install`; runtime hooks activate after OpenCode loads the registered plugin.
Impact
Enables this package as an OpenCode plugin and persists limited local session rule-state metadata.
Mechanism
User-invoked OpenCode config registration and local rule-to-system-prompt injection.
Rationale
No concrete malicious behavior was found after source inspection. Per firewall policy, explicit user-command registration of a package-owned AI-agent extension warrants a warning rather than a block.
Evidence
package.jsonsrc/cli/install.tssrc/cli/config.tssrc/cli/registry.tssrc/runtime.tssrc/active-rules-state.tssrc/git-branch.ts$OPENCODE_CONFIG_DIR/opencode.json$OPENCODE_CONFIG_DIR/tui.json~/.cache/opencode/node_modules/opencode-rules-md~/.opencode/state/opencode-rules-md/<sessionId>.json
Network endpoints1
registry.npmjs.org/opencode-rules-md/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/cli/install.ts` explicitly registers this package in OpenCode and TUI global configs.
  • `src/cli/config.ts` resolves and atomically writes `$OPENCODE_CONFIG_DIR` or user config paths.
  • `src/runtime.ts` injects discovered Markdown rules into OpenCode system prompts at runtime.
  • `src/active-rules-state.ts` persists per-session matched rule paths under `~/.opencode/state`.
  • `src/cli/registry.ts` fetches only this package's latest-version metadata from npm.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • No credential harvesting, arbitrary network upload, remote payload loading, or dynamic code evaluation was found.
  • The only child process call is bounded `git rev-parse --abbrev-ref HEAD` in `src/git-branch.ts`.
  • Config changes occur through the user-invoked `omd` CLI and target this package's own OpenCode registration.
  • The npm endpoint is package-aligned version checking, not an exfiltration channel.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 55 file(s), 309 KB of source, external domains: bun.sh, nodejs.org, registry.npmjs.org

Source & flagged code

1 flagged · loading source
dist/cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = opencode-rules-md@0.8.4 matchedIdentity = npm:b3BlbmNvZGUtcnVsZXMtbWQ:0.8.4 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.mjsView on unpkg

Findings

1 High2 Medium3 Low
HighPrevious Version Dangerous Deltadist/cli.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings