registry  /  @defend-tech/opencode-optima  /  0.1.115

@defend-tech/opencode-optima@0.1.115

> Don't just code with AI. Build enterprise-grade software.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an OpenCode workflow plugin with powerful agent orchestration and browser automation capabilities that are largely documented and user/configuration driven.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenCode plugin load/config hook or explicit Optima tool invocation
Impact
Can modify OpenCode agent configuration and project .optima files, call configured SaaS APIs, and execute caller-provided browser automation scripts when enabled/invoked.
Mechanism
documented OpenCode agent sync, workflow/session control, ClickUp/GitHub API automation, and QA browser scripting
Attack narrative
If installed as an OpenCode plugin, Optima can rewrite OpenCode agent definitions, set the default agent, create/prompt sessions, update workflow files, and automate a QA Chrome session. These are high-trust capabilities, including arbitrary caller-provided browser scripts, but inspection shows they match the package's documented workflow automation purpose and require plugin configuration or tool/webhook invocation rather than stealth install-time execution.
Rationale
Static inspection found powerful dual-use OpenCode and browser automation primitives, but no concrete malicious behavior such as stealth lifecycle execution, credential harvesting, hidden exfiltration, or destructive payloads. The risky behavior is package-aligned and documented, so this should not be publish-blocked.
Evidence
package.jsonREADME.mddocs/guides/TOOLS.mdscripts/optima-sanitize-host.jsdist/index.jsdist/sanitize_cli.js.optima/.config/optima.yaml.optima/codemap.yml.optima/tasks/current.md.optima/tasks/done.md.optima/.config/runtime/*.gitignore$OPENCODE_CONFIG_DIR/agents/*.md
Network endpoints6
127.0.0.1:3001api.clickup.com/api/v2/api.github.com/127.0.0.1:9223chatgpt.com/auth.openai.com/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js config hook writes generated agents into process.env.OPENCODE_CONFIG_DIR/agents and changes cfg.default_agent.
  • dist/index.js exposes optima_session_create/prompt tools that can create and prompt OpenCode sessions when invoked.
  • dist/index.js optima_qa_chrome_command accepts raw async JS and runs it with new Function against Playwright/CDP.
  • dist/index.js uses ClickUp and GitHub API clients with configured tokens for workflow/webhook automation.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; prepack is publish-time only.
  • Network use is aligned with documented ClickUp, GitHub, OpenCode localhost, and QA browser features.
  • README.md and docs/guides/TOOLS.md document the OpenCode plugin, agents, ClickUp, session, and QA browser tools.
  • Dangerous primitives are behind plugin/tool invocation or configured webhook/QA flows, not import-time credential harvesting.
  • No hardcoded exfiltration host, obfuscated payload, dependency confusion, persistence implant, or destructive install behavior found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.51 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, auth.openai.com, chatgpt.com, git-scm.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
9380import path5 from "node:path"; L9381: import { execFileSync } from "node:child_process"; L9382: function toGitPath(worktree, targetPath) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9380
14719if (!script.trim()) return { ok: false, error: "script_required" }; L14720: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L14721: ${script} ... L14727: } L14728: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L14729: const chromium = await loadPlaywrightChromium(); L14730: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L14731: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L14732: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L14719
14163const browser = {}; L14164: const fn = new Function("cdp", "target", "artifactsDir", "command", "page", "context", "browser", `return (async () => { L14165: ${script}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L14163
scripts/optima-sanitize-host.jsView file
9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/optima-sanitize-host.jsView on unpkg · L9
dist/sanitize_cli.jsView file
2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/sanitize_cli.jsView on unpkg · L2592

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/sanitize_cli.js
MediumDynamic Requirescripts/optima-sanitize-host.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License