AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an OpenCode role manager that registers first-party rolebox agents/skills and provides explicit CLI registry/install and notification features.
Static reason
No blocking static signals were detected.
Trigger
OpenCode plugin load or explicit rolebox CLI commands
Impact
Creates/removes rolebox-managed agent files and skill symlinks; may fetch GitHub/npm metadata or user-configured webhooks.
Mechanism
package-aligned agent/skill sync, registry fetch, optional dynamic role handlers
Rationale
Static inspection shows dual-use plugin behaviors but they are aligned with the package purpose, user/plugin invoked, and bounded by rolebox-managed markers/prefixes. There is no install-time mutation, exfiltration, remote payload execution, or broad AI-agent control hijack.
Evidence
package.jsondist/index.jsdist/sync/agent-files.jsdist/sync/skill-symlinks.jsdist/function/handlers-loader.jsdist/cli/version-check.jsdist/cli/registry-client.jsdist/notifications/channels.js~/.claude/agents/{agentId}.md~/.config/opencode/skills/rolebox--*~/.local/share/rolebox/cache/*~/.local/share/rolebox/roles/*~/.config/rolebox/*
Network endpoints3
registry.npmjs.org/rolebox/latestraw.githubusercontent.com/{owner}/{repo}/{branch}/registry.yamlapi.github.com/repos/{owner}/{repo}/tarball/{branch}
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js syncs resolved roles into external agent/skill discovery directories at runtime.
- dist/function/handlers-loader.js dynamically imports handler modules referenced by role function files.
- dist/cli/registry-client.js fetches GitHub registry/tarball data and passes GITHUB_TOKEN only to GitHub API/raw endpoints.
Evidence against
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly runs tsc.
- dist/index.js mutations occur when the OpenCode plugin is loaded, not during npm install.
- dist/sync/agent-files.js tags and only cleans files containing ROLEBOX_AGENT_MARKER.
- dist/sync/skill-symlinks.js only manages entries prefixed rolebox--.
- Network use is package-aligned: update checks, role registry install, and user-configured notification webhooks.
- No credential harvesting, stealth persistence, destructive broad filesystem behavior, or hardcoded exfiltration endpoint found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourcedist/function/handlers-loader.jsView file
19try {
L20: const mod = (await import(__rewriteRelativeImportExtension(abs)));
L21: cache.set(abs, mod);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/function/handlers-loader.jsView on unpkg · L19Findings
5 Medium5 Low
MediumDynamic Requiredist/function/handlers-loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings