registry  /  rolebox  /  0.20.0

rolebox@0.20.0

OpenCode plugin — define custom AI agent roles via YAML with per-role prompts, models, skills, and permissions

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an OpenCode role manager that registers first-party rolebox agents/skills and provides explicit CLI registry/install and notification features.

Static reason
No blocking static signals were detected.
Trigger
OpenCode plugin load or explicit rolebox CLI commands
Impact
Creates/removes rolebox-managed agent files and skill symlinks; may fetch GitHub/npm metadata or user-configured webhooks.
Mechanism
package-aligned agent/skill sync, registry fetch, optional dynamic role handlers
Rationale
Static inspection shows dual-use plugin behaviors but they are aligned with the package purpose, user/plugin invoked, and bounded by rolebox-managed markers/prefixes. There is no install-time mutation, exfiltration, remote payload execution, or broad AI-agent control hijack.
Evidence
package.jsondist/index.jsdist/sync/agent-files.jsdist/sync/skill-symlinks.jsdist/function/handlers-loader.jsdist/cli/version-check.jsdist/cli/registry-client.jsdist/notifications/channels.js~/.claude/agents/{agentId}.md~/.config/opencode/skills/rolebox--*~/.local/share/rolebox/cache/*~/.local/share/rolebox/roles/*~/.config/rolebox/*
Network endpoints3
registry.npmjs.org/rolebox/latestraw.githubusercontent.com/{owner}/{repo}/{branch}/registry.yamlapi.github.com/repos/{owner}/{repo}/tarball/{branch}

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js syncs resolved roles into external agent/skill discovery directories at runtime.
  • dist/function/handlers-loader.js dynamically imports handler modules referenced by role function files.
  • dist/cli/registry-client.js fetches GitHub registry/tarball data and passes GITHUB_TOKEN only to GitHub API/raw endpoints.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly runs tsc.
  • dist/index.js mutations occur when the OpenCode plugin is loaded, not during npm install.
  • dist/sync/agent-files.js tags and only cleans files containing ROLEBOX_AGENT_MARKER.
  • dist/sync/skill-symlinks.js only manages entries prefixed rolebox--.
  • Network use is package-aligned: update checks, role registry install, and user-configured notification webhooks.
  • No credential harvesting, stealth persistence, destructive broad filesystem behavior, or hardcoded exfiltration endpoint found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 234 file(s), 1.25 MB of source, external domains: api.github.com, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

1 flagged · loading source
dist/function/handlers-loader.jsView file
19try { L20: const mod = (await import(__rewriteRelativeImportExtension(abs))); L21: cache.set(abs, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/function/handlers-loader.jsView on unpkg · L19

Findings

5 Medium5 Low
MediumDynamic Requiredist/function/handlers-loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings