registry  /  rolebox  /  0.19.0

rolebox@0.19.0

OpenCode plugin — define custom AI agent roles via YAML with per-role prompts, models, skills, and permissions

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The main risk is first-party AI-agent extension setup: plugin/runtime or explicit CLI actions can materialize role prompts and skills into opencode/Claude-compatible agent locations.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
opencode loads the rolebox plugin, or the user runs rolebox CLI commands such as install/sync
Impact
Can alter rolebox-managed agent and skill configuration for AI tooling, and can run/fetch user-configured role extension behavior; no unconsented npm install-time mutation observed.
Mechanism
first-party role/skill synchronization plus user-configured extension hooks, commands, and webhooks
Rationale
rolebox is an opencode role/plugin manager with dynamic role extensions, notification channels, and first-party agent/skill synchronization, but inspection did not show install-time hijacking, credential theft, hardcoded exfiltration, or remote payload execution outside explicit package features. Because it writes AI-agent control-surface files at plugin runtime, warn rather than block.
Evidence
package.jsondist/index.jsdist/sync/agent-files.jsdist/sync/skill-symlinks.jsdist/function/handlers-loader.jsdist/extensions/loader.jsdist/hooks/custom/loader.jsdist/notifications/channels.jsdist/cli/registry-client.jsdist/cli/version-check.jsdist/cli/commands/install.jsdist/cli/commands/sync.js~/.claude/agents/{agentId}.md~/.config/opencode/skills/rolebox--*~/.config/opencode/rolebox~/.local/share/rolebox
Network endpoints3
registry.npmjs.org/rolebox/latestraw.githubusercontent.com/${owner}/${repo}/${branch}/registry.yamlapi.github.com/repos/${owner}/${repo}/tarball/${branch}

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/index.js initializes an opencode plugin that calls syncAgentFiles and syncSkillSymlinks at plugin runtime.
  • dist/sync/agent-files.js writes rolebox-managed agent markdown files under ~/.claude/agents and removes stale files with the rolebox marker.
  • dist/sync/skill-symlinks.js creates/removes rolebox-prefixed entries in the opencode skills directory.
  • dist/extensions/loader.js, dist/hooks/custom/loader.js, and dist/function/handlers-loader.js dynamically import role-configured local modules.
  • dist/notifications/channels.js supports user-configured custom shell commands and webhooks.
Evidence against
  • package.json has only prepublishOnly; no preinstall/install/postinstall lifecycle mutation.
  • Network use is package-aligned: version checks, GitHub role registry fetch/download, and opt-in notification webhooks.
  • CLI install/sync/uninstall actions are explicit user commands for role management.
  • No credential harvesting, stealth persistence, destructive broad filesystem behavior, or hardcoded exfiltration endpoint found.
  • Agent/skill writes are marked/prefixed as rolebox-managed and tied to resolved role configuration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 198 file(s), 1.07 MB of source, external domains: api.github.com, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/function/handlers-loader.jsView file
19try { L20: const mod = (await import(__rewriteRelativeImportExtension(abs))); L21: cache.set(abs, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/function/handlers-loader.jsView on unpkg · L19
dist/notifications/channels.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rolebox@0.18.0 matchedIdentity = npm:cm9sZWJveA:0.18.0 similarity = 0.792 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/notifications/channels.jsView on unpkg

Findings

1 High5 Medium5 Low
HighPrevious Version Dangerous Deltadist/notifications/channels.js
MediumDynamic Requiredist/function/handlers-loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings