registry  /  @defend-tech/opencode-optima  /  0.1.148

@defend-tech/opencode-optima@0.1.148

> ClickUp-first delivery automation for OpenCode teams.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malware behavior, but the package is an OpenCode agent extension that mutates agent configuration during plugin config and exposes powerful workflow/QA automation tools. Risk is platform-extension lifecycle control rather than credential theft or covert persistence.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenCode loads the plugin or a user invokes Optima tools/optima-sanitize-host
Impact
Can change OpenCode agent defaults/config and perform user-invoked project/worktree, browser, ClickUp, GitHub, and local OpenCode actions.
Mechanism
OpenCode agent config sync, task workflow automation, browser QA scripting, and host sanitize CLI
Policy narrative
The package behaves as an OpenCode workflow/agent plugin. On plugin configuration it builds bundled/repo agent definitions and, unless disabled, writes them into OpenCode's config agents directory and sets the default agent. Its network and process primitives support ClickUp/GitHub/OpenCode/browser QA workflows and a sanitize CLI, but I did not find install-time execution, covert exfiltration, or unrelated destructive behavior.
Rationale
Static inspection supports a warning for guarded AI-agent extension lifecycle risk: the package can mutate OpenCode control-surface configuration, but this is consistent with its stated plugin purpose and is not triggered by npm install. No concrete malicious payload or covert data exfiltration path was confirmed.
Evidence
package.jsondist/index.jsdist/sanitize_cli.jsscripts/optima-sanitize-host.jsOPENCODE_CONFIG_DIR/agents/*.md.gitignore.optima/**~/.local/share/opencode-optima/**~/.local/share/opencode_defend/opencode/opencode.db~/.optima_sanitize_backup/*.zip
Network endpoints6
api.clickup.com/api/v2/api.github.com/127.0.0.1:3001127.0.0.1:9223chatgpt.com/auth.openai.com/

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js config hook writes generated agent markdown into process.env.OPENCODE_CONFIG_DIR/agents by default
  • dist/index.js registers OpenCode tools that can prompt/fork sessions and alter default_agent to product_manager
  • dist/index.js includes user-invoked browser QA tools with new Function for supplied script commands
  • dist/sanitize_cli.js user-invoked CLI can SSH to a host, read OpenCode SQLite paths, back up/remove legacy override files
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle scripts
  • Network calls are aligned to ClickUp/GitHub/OpenCode/OpenChamber/Chrome CDP/ChatGPT QA features, not covert exfiltration
  • No import-time execution beyond module definition/export in dist/index.js
  • Child process usage is for git operations, systemctl QA helper, SSH CLI mode, and python sqlite query helper
  • File writes target documented Optima/OpenCode config/runtime paths or user-discovered worktrees, with safe-worktree checks in plugin tools
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.64 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, auth.openai.com, chatgpt.com, git-scm.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
9406import path5 from "node:path"; L9407: import { execFileSync } from "node:child_process"; L9408: function toGitPath(worktree, targetPath) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9406
15222if (!script.trim()) return { ok: false, error: "script_required" }; L15223: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L15224: ${script} ... L15230: } L15231: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L15232: const chromium = await loadPlaywrightChromium(); L15233: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L15234: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L15235: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L15222
14666const browser = {}; L14667: const fn = new Function("cdp", "target", "artifactsDir", "command", "page", "context", "browser", `return (async () => { L14668: ${script}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L14666
scripts/optima-sanitize-host.jsView file
9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/optima-sanitize-host.jsView on unpkg · L9
dist/sanitize_cli.jsView file
2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/sanitize_cli.jsView on unpkg · L2592

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/sanitize_cli.js
MediumDynamic Requirescripts/optima-sanitize-host.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License