registry  /  @defend-tech/opencode-optima  /  0.1.106

@defend-tech/opencode-optima@0.1.106

> Don't just code with AI. Build enterprise-grade software.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are aligned with an OpenCode workflow automation plugin and explicit CLI/tool actions, with no lifecycle execution or hidden payload.

Static reason
One or more suspicious static signals were detected.
Trigger
User loads the OpenCode plugin or explicitly runs optima-sanitize-host / Optima tools.
Impact
Project .optima/OpenCode config state may be created or updated during normal plugin operation; configured APIs may be called when features are enabled.
Mechanism
workflow automation plugin with configured ClickUp/GitHub/OpenCode/QA browser integrations
Rationale
Static inspection found automation capabilities with network, filesystem, shell, and dynamic evaluation primitives, but they are exposed as documented OpenCode plugin/CLI workflows and are not triggered by package install or import as a covert payload. No credential exfiltration, persistence, destructive behavior, dependency confusion, or unconsented AI-agent control hijack was confirmed.
Evidence
package.jsondist/index.jsdist/sanitize_cli.jsscripts/optima-sanitize-host.jsassets/agents/workflow_product_manager.md.optima/.gitignoreOpenCode config agents directory via OPENCODE_CONFIG_DIR~/.local/share/opencode_defend/opencode/opencode.db
Network endpoints5
127.0.0.1:3001api.clickup.com/api/v2/api.github.com/127.0.0.1:9223chatgpt.com/

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall lifecycle hooks; main is dist/index.js and bin is explicit dist/sanitize_cli.js.
    • dist/index.js exports an OpenCode plugin; network calls are ClickUp/GitHub/OpenCode/localhost/CDP integrations tied to plugin tools/config.
    • dist/index.js child_process usage is git/systemctl for repository workflow and QA browser service operations, not install/import-time execution.
    • dist/index.js dynamic Function appears in explicit QA browser command actions, not hidden payload loading.
    • dist/sanitize_cli.js is an explicit optima-sanitize-host CLI; ssh/python3/sqlite/filesystem writes are user-invoked migration/sanitization behavior.
    • Secret reads resolve configured {env:...}/{file:...} references for ClickUp/GitHub auth and redact audit logs; no credential harvesting loop or exfil sink found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 3 file(s), 1.48 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, chatgpt.com, git-scm.com

    Source & flagged code

    5 flagged · loading source
    dist/index.jsView file
    9316import path5 from "node:path"; L9317: import { execFileSync } from "node:child_process"; L9318: function toGitPath(worktree, targetPath) {
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L9316
    14502if (!script.trim()) return { ok: false, error: "script_required" }; L14503: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L14504: ${script} ... L14510: } L14511: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L14512: const chromium = await loadPlaywrightChromium(); L14513: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L14514: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L14515: });
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/index.jsView on unpkg · L14502
    14031const cdp = { send: (method, params = {}, options = {}) => session.send(method, params, options), evaluate: (expression, options = {}) => session.evaluate(expression, options) }; L14032: const fn = new Function("cdp", "target", "artifactsDir", "command", `return (async () => { L14033: ${script}
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/index.jsView on unpkg · L14031
    scripts/optima-sanitize-host.jsView file
    9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    scripts/optima-sanitize-host.jsView on unpkg · L9
    dist/sanitize_cli.jsView file
    2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/sanitize_cli.jsView on unpkg · L2592

    Findings

    4 High3 Medium6 Low
    HighChild Processdist/index.js
    HighShell
    HighSame File Env Network Executiondist/index.js
    HighCross File Remote Execution Contextdist/sanitize_cli.js
    MediumDynamic Requirescripts/optima-sanitize-host.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowEvaldist/index.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License