registry  /  @defend-tech/opencode-optima  /  0.1.150

@defend-tech/opencode-optima@0.1.150

> ClickUp-first delivery automation for OpenCode teams.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install/import attack surface. The package is an OpenCode platform plugin with powerful agent, ClickUp/GitHub, and QA browser capabilities that can write OpenCode agent files and run user-supplied browser scripts when the plugin/tools are invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenCode loads the plugin or a user/agent invokes Optima tools
Impact
Could alter OpenCode agent behavior and automate browser/API workflows within configured Optima environments, but no unconsented npm lifecycle hijack was found.
Mechanism
platform extension lifecycle plus user-invoked automation tools
Rationale
Source inspection shows a first-party OpenCode plugin with guarded, platform-aligned extension setup and powerful runtime tools, but no npm lifecycle execution, broad foreign agent hijack, credential theft, or malicious exfiltration. Because it writes OpenCode agent files during plugin config and exposes dangerous agent/browser automation capabilities, warn rather than mark clean.
Evidence
package.jsondist/index.jsdist/sanitize_cli.jsscripts/optima-sanitize-host.jsREADME.mddocs/setup/INSTALLATION.mdOPENCODE_CONFIG_DIR/agents/*.md.optima/.config/optima.yaml.optima/codemap.yml.optima/tasks/current.md.optima/tasks/done.md.optima/docs/scrs/current.md.optima/docs/scrs/done.md.gitignore
Network endpoints6
api.clickup.com/api/v2api.github.com127.0.0.1:3001127.0.0.1:9223chatgpt.com/auth.openai.com/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js config hook writes generated agent markdown into OPENCODE_CONFIG_DIR/agents via syncOpenCodeConfigAgents
  • dist/index.js exposes QA browser tools that run user-supplied evaluate/script through Playwright/CDP new Function
  • dist/index.js can start configured user systemd QA service when qa.autostart is enabled
  • dist/index.js performs ClickUp/GitHub API actions when configured
Evidence against
  • package.json has no npm lifecycle install hooks
  • OpenCode agent/config mutation occurs in plugin config runtime, not npm install time, and targets OpenCode plugin surface
  • Repository scaffolding writes are user-invoked via optima_init/repair into .optima and .gitignore
  • Network endpoints are package-aligned: ClickUp, GitHub, local OpenCode/CDP, ChatGPT QA
  • No credential harvesting or unrelated exfiltration found in inspected entrypoints
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.65 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, auth.openai.com, chatgpt.com, git-scm.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
9406import path5 from "node:path"; L9407: import { execFileSync } from "node:child_process"; L9408: function toGitPath(worktree, targetPath) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9406
15284if (!script.trim()) return { ok: false, error: "script_required" }; L15285: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L15286: ${script} ... L15292: } L15293: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L15294: const chromium = await loadPlaywrightChromium(); L15295: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L15296: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L15297: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L15284
14728const browser = {}; L14729: const fn = new Function("cdp", "target", "artifactsDir", "command", "page", "context", "browser", `return (async () => { L14730: ${script}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L14728
scripts/optima-sanitize-host.jsView file
9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/optima-sanitize-host.jsView on unpkg · L9
dist/sanitize_cli.jsView file
2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/sanitize_cli.jsView on unpkg · L2592

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/sanitize_cli.js
MediumDynamic Requirescripts/optima-sanitize-host.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License