registry  /  @defend-tech/opencode-optima  /  0.1.155

@defend-tech/opencode-optima@0.1.155

> ClickUp-first delivery automation for OpenCode teams.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malware behavior, but the package is an AI-agent platform extension that can install package-managed OpenCode agents and automate ClickUp/GitHub/OpenCode workflows when activated. Residual risk is platform extension lifecycle and dangerous agent-facing tooling, not unconsented npm install compromise.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenCode plugin activation, configured Optima tools/webhooks, or explicit optima-sanitize-host CLI invocation
Impact
Can write .optima state, OPENCODE_CONFIG_DIR agent files, runtime webhook state/logs, screenshots, and workflow metadata; can call configured SaaS/local endpoints and run configured git/QA actions.
Mechanism
package-aligned OpenCode agent/config sync and workflow automation
Policy narrative
When loaded as an OpenCode plugin, Optima reads repo config, scaffolds .optima assets, may sync package-defined agents into the configured OpenCode config directory, and can start configured ClickUp/GitHub webhook automation. Its CLI can sanitize host OpenCode metadata and optionally run over SSH. These are powerful agent/workflow capabilities, but inspection did not find npm install-time execution, hidden exfiltration, or unconsented mutation of a foreign agent surface.
Rationale
The suspicious primitives are package-aligned and gated by OpenCode plugin activation, configuration, tool calls, or explicit CLI flags. Because it lifecycle-generates agent control content and automation for an AI platform, warn rather than block.
Evidence
package.jsondist/index.jsdist/sanitize_cli.jsscripts/optima-sanitize-host.jsREADME.mddocs/setup/CONFIGURATION.md.optima/.config/optima.yaml.optima/.config/runtime/OPENCODE_CONFIG_DIR/agents/*.md~/.local/share/opencode_defend/opencode/opencode.db~/.optima_sanitize_backup/*.zip
Network endpoints7
api.clickup.com/api/v2api.github.com127.0.0.1:3001127.0.0.1:3210127.0.0.1:9223chatgpt.comauth.openai.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js config hook writes package-managed agent markdown into process.env.OPENCODE_CONFIG_DIR/agents
  • dist/index.js starts ClickUp/GitHub webhook listener and assignment watchdog when configured and runtime owner
  • dist/index.js exposes QA tools that evaluate user-supplied browser/CDP scripts via new Function
  • dist/sanitize_cli.js user-invoked bin can SSH to a host and mutate discovered OpenCode worktree metadata
Evidence against
  • package.json has no npm lifecycle install hooks
  • package.json declares an OpenCode plugin and bin, matching the package purpose
  • Network calls are ClickUp/GitHub/OpenCode/localhost/ChatGPT QA endpoints tied to documented Optima workflow features
  • Writes are guarded by plugin activation/config or explicit CLI/tool use, not automatic npm install
  • No credential harvesting or exfiltration path found; secrets are resolved for configured API/webhook clients and redacted in logs
  • sanitize CLI defaults to a Defend OpenCode DB path and supports dry-run; remote SSH is explicit via --host
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.68 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, auth.openai.com, chatgpt.com, git-scm.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
9475import path5 from "node:path"; L9476: import { execFileSync } from "node:child_process"; L9477: function toGitPath(worktree, targetPath) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9475
15489if (!script.trim()) return { ok: false, error: "script_required" }; L15490: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L15491: ${script} ... L15497: } L15498: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L15499: const chromium = await loadPlaywrightChromium(); L15500: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L15501: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L15502: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L15489
14933const browser = {}; L14934: const fn = new Function("cdp", "target", "artifactsDir", "command", "page", "context", "browser", `return (async () => { L14935: ${script}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L14933
scripts/optima-sanitize-host.jsView file
9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/optima-sanitize-host.jsView on unpkg · L9
dist/sanitize_cli.jsView file
2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/sanitize_cli.jsView on unpkg · L2592

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/sanitize_cli.js
MediumDynamic Requirescripts/optima-sanitize-host.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License