registry  /  rose-aili  /  0.1.9

rose-aili@0.1.9

AILI OpenCode workflow installer CLI

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `rose-aili install` or `rose-aili update`.
Impact
Changes AI-agent configuration and can add globally installed workflow tooling under explicit CLI invocation.
Mechanism
Writes/symlinks first-party OpenCode agent assets and optionally invokes global extension installers.
Rationale
This is not malicious, but its user-invoked global AI-agent configuration mutation is a real capability that merits a warning under the firewall policy. The scanner's hidden-Python hint is a false positive after source inspection.
Evidence
package.jsondist/cli.jsdist/installer.jsscripts/install_opencode.sh.agents/skills/minimax-pdf/scripts/fill_inspect.py~/.config/opencode/AGENTS.md~/.config/opencode/agents~/.config/opencode/skills~/.config/opencode/commands

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/installer.js` runs a Bash installer and can invoke global OpenCode/plugin tooling after `rose-aili install` or `update`.
  • `scripts/install_opencode.sh` writes or links package agents, skills, commands, and `AGENTS.md` into the configured OpenCode home.
  • `dist/installer.js` can run optional/global third-party installs for DCP, CodeGraph, and OpenSpec.
Evidence against
  • `package.json` has only `prepare`; no preinstall/install/postinstall hook mutates user configuration.
  • `dist/cli.js` requires explicit `install` or `update`; import/CLI help paths do not install.
  • `dist/installer.js` validates OpenCode paths and rejects unknown manifest plugins.
  • No credential harvesting, exfiltration endpoint, obfuscated payload, eval, or remote payload execution was found.
  • `.agents/skills/minimax-pdf/scripts/fill_inspect.py` is a readable PDF form-inspection helper; its subprocess use installs missing `pypdf`, not a hidden payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 49.2 KB of source

Source & flagged code

4 flagged · loading source
.agents/skills/minimax-pdf/scripts/fill_inspect.pyView file
path = .agents/skills/minimax-pdf/scripts/fill_inspect.py kind = payload_in_excluded_dir sizeBytes = 6402 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/minimax-pdf/scripts/fill_inspect.pyView on unpkg
path = .agents/skills/minimax-pdf/scripts/fill_inspect.py kind = build_helper sizeBytes = 6402 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/minimax-pdf/scripts/fill_inspect.pyView on unpkg
.agents/skills/react-native-dev/references/forms.mdView file
297patternName = generic_password severity = medium line = 297 matchedText = expect(o... });
Medium
Secret Pattern

Hardcoded password in .agents/skills/react-native-dev/references/forms.md

.agents/skills/react-native-dev/references/forms.mdView on unpkg · L297
.agents/skills/react-native-dev/references/testing.mdView file
95patternName = generic_password severity = medium line = 95 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in .agents/skills/react-native-dev/references/testing.md

.agents/skills/react-native-dev/references/testing.mdView on unpkg · L95

Findings

1 High5 Medium4 Low
HighPayload In Excluded Dir.agents/skills/minimax-pdf/scripts/fill_inspect.py
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/minimax-pdf/scripts/fill_inspect.py
MediumStructural Risk Force Deep Review
MediumSecret Pattern.agents/skills/react-native-dev/references/forms.md
MediumSecret Pattern.agents/skills/react-native-dev/references/testing.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings