registry  /  rose-aili  /  0.2.0

rose-aili@0.2.0

AILI OpenCode workflow installer CLI

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `rose-aili install` or `rose-aili update`; optional external tools require explicit enable flags.
Impact
Can alter the caller's OpenCode configuration and shared agent-skill paths; no unconsented install-time mutation or exfiltration was found.
Mechanism
Explicit user-command OpenCode configuration and agent-extension installation.
Rationale
Source inspection confirms an explicit agent-environment installer with filesystem mutation and optional process spawning, but finds no stealth execution, credential theft, exfiltration, or remote payload behavior. Per policy, explicit user-command agent config mutation warrants a warning rather than a block.
Evidence
package.jsondist/cli.jsdist/installer.jsdist/config.jsscripts/install_opencode.shmanifests/rose-aili.components.json.agents/skills/minimax-pdf/scripts/fill_inspect.pytemplates/opencode-global-AGENTS.mdagents/commands/.agents/skills/<OPENCODE_HOME>/opencode.json<OPENCODE_HOME>/AGENTS.md<HOME>/.agents/skills/

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/installer.js` runs a Bash installer only through explicit `rose-aili install|update`.
  • `scripts/install_opencode.sh` creates links/copies under `OPENCODE_HOME` and `$HOME/.agents/skills`.
  • `dist/installer.js` can invoke global CodeGraph/OpenSpec installs only after explicit opt-in flags.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; its only lifecycle hook is `prepare`.
  • `dist/cli.js` executes only when invoked as the CLI main module.
  • `dist/config.js` limits config writes to the chosen OpenCode config and rejects symlink targets.
  • No package code performs credential harvesting, network exfiltration, eval, dynamic loading, or remote payload download.
  • `.agents/skills/minimax-pdf/scripts/fill_inspect.py` is readable PDF-form inspection code, not a hidden payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 44.8 KB of source

Source & flagged code

5 flagged · loading source
.agents/skills/minimax-pdf/scripts/fill_inspect.pyView file
path = .agents/skills/minimax-pdf/scripts/fill_inspect.py kind = payload_in_excluded_dir sizeBytes = 6402 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/minimax-pdf/scripts/fill_inspect.pyView on unpkg
path = .agents/skills/minimax-pdf/scripts/fill_inspect.py kind = build_helper sizeBytes = 6402 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/minimax-pdf/scripts/fill_inspect.pyView on unpkg
dist/installer.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rose-aili@0.1.11 matchedIdentity = npm:cm9zZS1haWxp:0.1.11 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/installer.jsView on unpkg
.agents/skills/react-native-dev/references/forms.mdView file
297patternName = generic_password severity = medium line = 297 matchedText = expect(o... });
Medium
Secret Pattern

Hardcoded password in .agents/skills/react-native-dev/references/forms.md

.agents/skills/react-native-dev/references/forms.mdView on unpkg · L297
.agents/skills/react-native-dev/references/testing.mdView file
95patternName = generic_password severity = medium line = 95 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in .agents/skills/react-native-dev/references/testing.md

.agents/skills/react-native-dev/references/testing.mdView on unpkg · L95

Findings

2 High5 Medium4 Low
HighPayload In Excluded Dir.agents/skills/minimax-pdf/scripts/fill_inspect.py
HighPrevious Version Dangerous Deltadist/installer.js
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/minimax-pdf/scripts/fill_inspect.py
MediumStructural Risk Force Deep Review
MediumSecret Pattern.agents/skills/react-native-dev/references/forms.md
MediumSecret Pattern.agents/skills/react-native-dev/references/testing.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings