LPM treats this as warn-only first-party agent extension lifecycle risk. At OpenCode runtime, the plugin can initialize its own policy configuration and optionally install and execute the Tirith scanner. The download is package-aligned, bounded, and checksum-verified, but it is remote native-code acquisition.
Static reason
No blocking static signals were detected.
Trigger
OpenCode loads the plugin and a handled shell-tool command reaches `tool.execute.before` with risk scanning enabled.
Impact
A compromised upstream GitHub release/checksum channel or configured scanner path could execute code in the user's OpenCode command context; no install-time mutation is present.
Mechanism
First-party approval hook with optional verified Tirith binary download and execution.
Rationale
Source inspection shows a package-aligned OpenCode command-approval plugin with bounded configuration and review behavior. Its automatic remote native-binary download/execution warrants a warning under agent-extension lifecycle risk, but there is no evidence of malicious behavior.
Evidence
package.jsonsrc/index.tssrc/config.tssrc/reviewer.tssrc/risk-tool-runner.tssrc/tirith-download.tssrc/bounded-download.ts~/.config/opencode/command-approval.jsonc~/.cache/opencode-smart-approval/tirith/<platform>/tirith
Network endpoints2
/repos/sheeki03/tirith/releases?per_page=20