AI Security Review
scanned 4d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malicious package behavior was confirmed. The main residual risk is first-party AI-agent extension lifecycle mutation: plugin runtime syncs role-derived agent files and skill symlinks into OpenCode/Claude discovery locations.
Static reason
No blocking static signals were detected.
Trigger
Loading the OpenCode plugin or running rolebox CLI registry/sync/install commands
Impact
Can add or remove rolebox-managed AI agent/skill entries; no evidence of unconsented npm install-time control-surface hijack or exfiltration.
Mechanism
rolebox-managed agent file and skill symlink synchronization plus user-configured handler loading
Rationale
Source inspection does not show malware, install-time hooks, exfiltration, or stealthy persistence, but it does show first-party AI-agent extension setup at plugin runtime. Under the provided policy this is a warn-level agent extension lifecycle risk, not malicious publish-block behavior.
Evidence
package.jsondist/index.jsdist/sync/agent-files.jsdist/sync/skill-symlinks.jsdist/function/handlers-loader.jsdist/cli/version-check.jsdist/cli/registry-client.jsdist/cli/config.jsdist/paths.jsdist/cli/paths.js~/.claude/agents/{agentId}.md~/.config/opencode/skills/rolebox-*~/.config/rolebox/config.yaml~/.config/rolebox/rolebox.lock~/.local/share/rolebox/cache/version-check.json~/.local/share/rolebox/cache/{registry}/registry.yaml
Network endpoints3
registry.npmjs.org/rolebox/latestraw.githubusercontent.com/${owner}/${repo}/${branch}/registry.yamlapi.github.com/repos/${owner}/${repo}/tarball/${branch}
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/index.js initializes as an OpenCode plugin and calls syncAgentFiles/syncSkillSymlinks at plugin runtime.
- dist/sync/agent-files.js writes role-derived agent markdown under ~/.claude/agents and removes only files containing ROLEBOX_AGENT_MARKER.
- dist/sync/skill-symlinks.js creates/removes rolebox-prefixed symlinks under the OpenCode global skills directory.
- dist/function/handlers-loader.js dynamically imports handler paths from role/function configuration.
- dist/cli/version-check.js fetches https://registry.npmjs.org/rolebox/latest during CLI cleanup; registry commands fetch GitHub raw/API URLs from configured registries.
Evidence against
- package.json has no preinstall/install/postinstall hook; only prepublishOnly runs tsc.
- Network activity is package-aligned update/registry behavior and not install-time exfiltration.
- No credential harvesting found; GITHUB_TOKEN is only used as an Authorization header for configured GitHub registry requests.
- Agent/skill writes are rolebox-managed, marker/prefix-scoped, and occur when the plugin or explicit CLI commands are used.
- No obfuscated payloads, destructive broad filesystem actions, crypto mining, or persistence beyond role/agent integration files were observed.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourcedist/function/handlers-loader.jsView file
19try {
L20: const mod = (await import(__rewriteRelativeImportExtension(abs)));
L21: cache.set(abs, mod);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/function/handlers-loader.jsView on unpkg · L19Findings
5 Medium5 Low
MediumDynamic Requiredist/function/handlers-loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings