AI Security Review
scanned 4d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The main risk is first-party AI-agent extension setup: plugin/runtime or explicit CLI actions can materialize role prompts and skills into opencode/Claude-compatible agent locations.
Decision evidence
public snapshot- dist/index.js initializes an opencode plugin that calls syncAgentFiles and syncSkillSymlinks at plugin runtime.
- dist/sync/agent-files.js writes rolebox-managed agent markdown files under ~/.claude/agents and removes stale files with the rolebox marker.
- dist/sync/skill-symlinks.js creates/removes rolebox-prefixed entries in the opencode skills directory.
- dist/extensions/loader.js, dist/hooks/custom/loader.js, and dist/function/handlers-loader.js dynamically import role-configured local modules.
- dist/notifications/channels.js supports user-configured custom shell commands and webhooks.
- package.json has only prepublishOnly; no preinstall/install/postinstall lifecycle mutation.
- Network use is package-aligned: version checks, GitHub role registry fetch/download, and opt-in notification webhooks.
- CLI install/sync/uninstall actions are explicit user commands for role management.
- No credential harvesting, stealth persistence, destructive broad filesystem behavior, or hardcoded exfiltration endpoint found.
- Agent/skill writes are marked/prefixed as rolebox-managed and tied to resolved role configuration.
Source & flagged code
2 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/function/handlers-loader.jsView on unpkg · L19This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/notifications/channels.jsView on unpkg