registry  /  @defend-tech/opencode-optima  /  0.1.108

@defend-tech/opencode-optima@0.1.108

> Don't just code with AI. Build enterprise-grade software.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are documented OpenCode plugin capabilities activated by plugin configuration or explicit tool calls.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenCode plugin load/configuration or user-invoked optima_* tools/CLI.
Impact
Benign but high-privilege automation; misuse would require configuration or tool invocation rather than hidden package behavior.
Mechanism
Documented workflow automation with project-local files, OpenCode agents, ClickUp/GitHub APIs, and QA browser control.
Rationale
Static inspection shows a feature-rich OpenCode workflow plugin with dangerous but documented and user/config-invoked capabilities. I found no install-time/import-time malware, hidden exfiltration, or unconsented persistence/destructive behavior.
Evidence
package.jsonREADME.mdscripts/optima-sanitize-host.jsdist/index.jsdist/sanitize_cli.jsdocs/setup/CONFIGURATION.md
Network endpoints5
api.clickup.comapi.github.com127.0.0.1:3001127.0.0.1:9223chatgpt.com

Decision evidence

public snapshot
AI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js exposes powerful user-invoked tools for OpenCode sessions, GitHub/ClickUp actions, and QA browser control.
  • dist/index.js uses new Function for optima_qa_chrome_command script actions supplied as tool input.
  • dist/index.js config hook writes agent markdown to OPENCODE_CONFIG_DIR and sets product_manager as default when plugin is enabled.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; prepack is not consumer install-time execution.
  • README.md documents an OpenCode workflow plugin that installs agents, writes .optima project state, and integrates ClickUp/GitHub/QA browser tools.
  • Network endpoints in dist/index.js are package-aligned: api.clickup.com, api.github.com, localhost/127.0.0.1 CDP/OpenCode, and optional chatgpt.com QA tab.
  • File writes are scoped to documented .optima state, OPENCODE_CONFIG_DIR agent sync, QA artifacts, gitignore, and explicit tool/apply operations.
  • scripts/optima-sanitize-host.js only dynamically imports src or dist sanitize CLI; dist/sanitize_cli.js mirrors bundled CLI/plugin logic.
  • No evidence of credential harvesting, hidden exfiltration, persistence, destructive install/import behavior, or reviewer/prompt manipulation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.49 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, chatgpt.com, git-scm.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
9316import path5 from "node:path"; L9317: import { execFileSync } from "node:child_process"; L9318: function toGitPath(worktree, targetPath) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9316
14509if (!script.trim()) return { ok: false, error: "script_required" }; L14510: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L14511: ${script} ... L14517: } L14518: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L14519: const chromium = await loadPlaywrightChromium(); L14520: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L14521: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L14522: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L14509
14038const cdp = { send: (method, params = {}, options = {}) => session.send(method, params, options), evaluate: (expression, options = {}) => session.evaluate(expression, options) }; L14039: const fn = new Function("cdp", "target", "artifactsDir", "command", `return (async () => { L14040: ${script}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L14038
scripts/optima-sanitize-host.jsView file
9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/optima-sanitize-host.jsView on unpkg · L9
dist/sanitize_cli.jsView file
2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/sanitize_cli.jsView on unpkg · L2592

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/sanitize_cli.js
MediumDynamic Requirescripts/optima-sanitize-host.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License