registry  /  @defend-tech/opencode-optima  /  0.1.156

@defend-tech/opencode-optima@0.1.156

> ClickUp-first delivery automation for OpenCode teams.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious npm install-time attack surface was found. The package is an OpenCode plugin with broad agent/workflow automation that can write OpenCode agents and operate ClickUp/GitHub/local browser tooling when loaded and configured.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenCode plugin load/configuration or explicit Optima tool/CLI invocation
Impact
Can alter OpenCode agent config, project .optima files, ClickUp task state, git worktrees, and local QA browser state under configured workflows.
Mechanism
platform extension agent registration and workflow automation tools
Policy narrative
When loaded as an OpenCode plugin, the package builds bundled Optima agents and may sync them into the OpenCode config directory, then exposes tools for project initialization, ClickUp/GitHub workflow control, OpenCode session prompting, and QA browser/CDP automation. These are high-impact agent-platform capabilities, but inspection shows they are tied to the declared OpenCode plugin purpose and configuration rather than npm lifecycle hijacking or covert exfiltration.
Rationale
This should be warned rather than blocked: the package has broad agent extension lifecycle behavior, but no npm lifecycle hook, no unconsented install-time mutation, and network/file activity is aligned with the declared OpenCode Optima workflow product. The main residual risk is platform-extension capability and OPENCODE_CONFIG_DIR agent sync at plugin load.
Evidence
package.jsonscripts/optima-sanitize-host.jsdist/sanitize_cli.jsdist/index.jsOPENCODE_CONFIG_DIR/agents/*.md.optima/.config/optima.yaml.optima/codemap.yml.gitignore.optima/.config/runtime/*
Network endpoints6
api.clickup.com/api/v2/api.github.com/127.0.0.1:3001127.0.0.1:9223chatgpt.com/auth.openai.com/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js syncs package-supplied agent markdown into process.env.OPENCODE_CONFIG_DIR/agents during plugin config load
  • dist/index.js starts QA queue scheduler timers on plugin load when configured/owned
  • dist/index.js can autostart a configured user systemd Chrome service for QA CDP when qa.autostart is true
  • dist/index.js exposes tools that modify ClickUp tasks, OpenCode sessions, git worktrees, .gitignore, and .optima project state
Evidence against
  • package.json has no npm install/preinstall/postinstall lifecycle hooks
  • package.json declares an opencode platform extension surface via opencode.server and @opencode-ai/plugin dependency
  • Network calls are product-aligned: ClickUp API, GitHub API, localhost OpenCode/CDP, and user-configured webhook/public URLs
  • scripts/optima-sanitize-host.js only dispatches to local src/dist sanitize CLI
  • Project writes are guarded by plugin/tool execution and target .optima or OpenCode config paths, not npm install-time delivery
  • No credential harvesting or arbitrary remote payload download found in inspected source
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.69 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, auth.openai.com, chatgpt.com, git-scm.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
9568import path5 from "node:path"; L9569: import { execFileSync } from "node:child_process"; L9570: function toGitPath(worktree, targetPath) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9568
15582if (!script.trim()) return { ok: false, error: "script_required" }; L15583: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L15584: ${script} ... L15590: } L15591: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L15592: const chromium = await loadPlaywrightChromium(); L15593: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L15594: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L15595: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L15582
15026const browser = {}; L15027: const fn = new Function("cdp", "target", "artifactsDir", "command", "page", "context", "browser", `return (async () => { L15028: ${script}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L15026
scripts/optima-sanitize-host.jsView file
9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/optima-sanitize-host.jsView on unpkg · L9
dist/sanitize_cli.jsView file
2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/sanitize_cli.jsView on unpkg · L2592

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/sanitize_cli.js
MediumDynamic Requirescripts/optima-sanitize-host.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License