registry  /  @defend-tech/opencode-optima  /  0.1.157

@defend-tech/opencode-optima@0.1.157

> ClickUp-first delivery automation for OpenCode teams.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface, but the package is an OpenCode agent extension with broad lifecycle authority once enabled. It can write agent config, workflow files, local runtime logs/state, and interact with ClickUp/GitHub/OpenCode when configured.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenCode loading the plugin config, explicit plugin tool invocation, or running optima-sanitize-host
Impact
Can change OpenCode agent behavior and local Optima workflow state for configured worktrees; no install-time hijack or covert exfiltration found.
Mechanism
first-party OpenCode workflow automation and agent configuration setup
Rationale
Source inspection shows an OpenCode workflow plugin with powerful, package-aligned agent/config and ClickUp/GitHub automation, but no npm lifecycle execution, stealth persistence, credential theft, or unconsented install-time mutation. Because it writes agent definitions into OpenCode config when enabled, it fits an agent extension lifecycle risk rather than malware.
Evidence
package.jsondist/index.jsdist/sanitize_cli.jsscripts/optima-sanitize-host.jsOPENCODE_CONFIG_DIR/agents/*.md.optima/**.gitignore.optima_sanitize_backup/**~/.local/share/opencode_defend/opencode/opencode.db
Network endpoints5
api.clickup.comapi.github.com127.0.0.1:3001127.0.0.1:9223chatgpt.com

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js config hook can write generated OpenCode agent files to process.env.OPENCODE_CONFIG_DIR/agents.
  • dist/index.js registers OpenCode plugin tools that can create sessions, edit workflow artifacts, manage ClickUp/GitHub webhooks, and run git via execFileSync when invoked.
  • dist/sanitize_cli.js bin can mutate host OpenCode-related repo paths and remove override files after backup; it also supports remote ssh execution when explicitly run.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Network calls are package-aligned: ClickUp API, GitHub API, local OpenCode/Chrome CDP, and user-provided URLs for extension source.
  • Shell/child_process use is bounded to git, python sqlite inspection, systemctl, ssh, unzip/chromium helpers, and explicit CLI/tool workflows.
  • No evidence of credential harvesting or covert exfiltration; secrets are read from user config/env for configured ClickUp/GitHub/webhook behavior.
  • Agent/config mutation is plugin-owned and occurs through OpenCode plugin config or explicit bin/tool invocation, not npm install time.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.76 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, auth.openai.com, chatgpt.com, git-scm.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
7713var import_ignore3 = __toESM(require_ignore(), 1); L7714: import { execFile as execFileCallback2 } from "node:child_process"; L7715: import os7 from "node:os";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L7713
15707if (!script.trim()) return { ok: false, error: "script_required" }; L15708: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L15709: ${script} ... L15715: } L15716: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L15717: const chromium = await loadPlaywrightChromium(); L15718: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L15719: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L15720: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L15707
15031const browser = {}; L15032: const fn = new Function("cdp", "target", "artifactsDir", "command", "page", "context", "browser", `return (async () => { L15033: ${script}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L15031
scripts/optima-sanitize-host.jsView file
9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/optima-sanitize-host.jsView on unpkg · L9
dist/sanitize_cli.jsView file
2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/sanitize_cli.jsView on unpkg · L2592

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/sanitize_cli.js
MediumDynamic Requirescripts/optima-sanitize-host.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License