AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `omd` or `omd install`; runtime hooks activate after OpenCode loads the registered plugin.
Impact
Enables this package as an OpenCode plugin and persists limited local session rule-state metadata.
Mechanism
User-invoked OpenCode config registration and local rule-to-system-prompt injection.
Rationale
No concrete malicious behavior was found after source inspection. Per firewall policy, explicit user-command registration of a package-owned AI-agent extension warrants a warning rather than a block.
Evidence
package.jsonsrc/cli/install.tssrc/cli/config.tssrc/cli/registry.tssrc/runtime.tssrc/active-rules-state.tssrc/git-branch.ts$OPENCODE_CONFIG_DIR/opencode.json$OPENCODE_CONFIG_DIR/tui.json~/.cache/opencode/node_modules/opencode-rules-md~/.opencode/state/opencode-rules-md/<sessionId>.json
Network endpoints1
registry.npmjs.org/opencode-rules-md/latest
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/cli/install.ts` explicitly registers this package in OpenCode and TUI global configs.
- `src/cli/config.ts` resolves and atomically writes `$OPENCODE_CONFIG_DIR` or user config paths.
- `src/runtime.ts` injects discovered Markdown rules into OpenCode system prompts at runtime.
- `src/active-rules-state.ts` persists per-session matched rule paths under `~/.opencode/state`.
- `src/cli/registry.ts` fetches only this package's latest-version metadata from npm.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- No credential harvesting, arbitrary network upload, remote payload loading, or dynamic code evaluation was found.
- The only child process call is bounded `git rev-parse --abbrev-ref HEAD` in `src/git-branch.ts`.
- Config changes occur through the user-invoked `omd` CLI and target this package's own OpenCode registration.
- The npm endpoint is package-aligned version checking, not an exfiltration channel.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
1 flagged · loading sourcedist/cli.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = opencode-rules-md@0.8.4
matchedIdentity = npm:b3BlbmNvZGUtcnVsZXMtbWQ:0.8.4
similarity = 1.000
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.mjsView on unpkgFindings
1 High2 Medium3 Low
HighPrevious Version Dangerous Deltadist/cli.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings