registry  /  rolebox  /  0.17.0

rolebox@0.17.0

OpenCode plugin — define custom AI agent roles via YAML with per-role prompts, models, skills, and permissions

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malicious package behavior was confirmed. The main residual risk is first-party AI-agent extension lifecycle mutation: plugin runtime syncs role-derived agent files and skill symlinks into OpenCode/Claude discovery locations.

Static reason
No blocking static signals were detected.
Trigger
Loading the OpenCode plugin or running rolebox CLI registry/sync/install commands
Impact
Can add or remove rolebox-managed AI agent/skill entries; no evidence of unconsented npm install-time control-surface hijack or exfiltration.
Mechanism
rolebox-managed agent file and skill symlink synchronization plus user-configured handler loading
Rationale
Source inspection does not show malware, install-time hooks, exfiltration, or stealthy persistence, but it does show first-party AI-agent extension setup at plugin runtime. Under the provided policy this is a warn-level agent extension lifecycle risk, not malicious publish-block behavior.
Evidence
package.jsondist/index.jsdist/sync/agent-files.jsdist/sync/skill-symlinks.jsdist/function/handlers-loader.jsdist/cli/version-check.jsdist/cli/registry-client.jsdist/cli/config.jsdist/paths.jsdist/cli/paths.js~/.claude/agents/{agentId}.md~/.config/opencode/skills/rolebox-*~/.config/rolebox/config.yaml~/.config/rolebox/rolebox.lock~/.local/share/rolebox/cache/version-check.json~/.local/share/rolebox/cache/{registry}/registry.yaml
Network endpoints3
registry.npmjs.org/rolebox/latestraw.githubusercontent.com/${owner}/${repo}/${branch}/registry.yamlapi.github.com/repos/${owner}/${repo}/tarball/${branch}

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js initializes as an OpenCode plugin and calls syncAgentFiles/syncSkillSymlinks at plugin runtime.
  • dist/sync/agent-files.js writes role-derived agent markdown under ~/.claude/agents and removes only files containing ROLEBOX_AGENT_MARKER.
  • dist/sync/skill-symlinks.js creates/removes rolebox-prefixed symlinks under the OpenCode global skills directory.
  • dist/function/handlers-loader.js dynamically imports handler paths from role/function configuration.
  • dist/cli/version-check.js fetches https://registry.npmjs.org/rolebox/latest during CLI cleanup; registry commands fetch GitHub raw/API URLs from configured registries.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly runs tsc.
  • Network activity is package-aligned update/registry behavior and not install-time exfiltration.
  • No credential harvesting found; GITHUB_TOKEN is only used as an Authorization header for configured GitHub registry requests.
  • Agent/skill writes are rolebox-managed, marker/prefix-scoped, and occur when the plugin or explicit CLI commands are used.
  • No obfuscated payloads, destructive broad filesystem actions, crypto mining, or persistence beyond role/agent integration files were observed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 146 file(s), 826 KB of source, external domains: api.github.com, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

1 flagged · loading source
dist/function/handlers-loader.jsView file
19try { L20: const mod = (await import(__rewriteRelativeImportExtension(abs))); L21: cache.set(abs, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/function/handlers-loader.jsView on unpkg · L19

Findings

5 Medium5 Low
MediumDynamic Requiredist/function/handlers-loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings