AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malware was found, but the updater has a real command-injection/RCE risk because config-derived plugin names, git URLs, branches, and commits are interpolated into shell commands. It also intentionally mutates AI-tool config and startup hooks as part of user-invoked setup.
Decision evidence
public snapshot- dist/git.js builds shell commands with pluginName/gitUrl/branch/commitHash from plugins.json and runs execSync
- dist/npm.js runs npm install/update/uninstall -g with name from opencode.json without shell escaping
- dist/index.js auto-activates on import unless PLUGIN_UPDATER_LIBRARY_MODE/ACTIVATION is set
- dist/cli.js init writes Claude SessionStart hook and OpenCode plugin config when user runs init
- dist/deploy.js imports deployed plugin files and may start declared daemons from cloned plugins
- package.json has no install/postinstall lifecycle; prepublishOnly is publish-time only
- CLI/config writes are documented plugin-manager behavior and user-invoked
- No credential harvesting, broad file enumeration, or exfiltration endpoint found
- Network behavior is aligned with plugin update/install duties: git, npm, and local daemon health checks
- Deletion is scoped to configured repos/plugin entries and remove/prune operations
Source & flagged code
4 flagged · loading sourcePackage source invokes a package manager install command at runtime.
dist/npm.jsView on unpkg · L82Package source references dynamic require/import behavior.
dist/syncbridge.jsView on unpkg · L29This package version adds a dangerous source file absent from the previous stored version.
dist/cli.jsView on unpkg