registry  /  @defend-tech/opencode-optima  /  0.1.96

@defend-tech/opencode-optima@0.1.96

> Don't just code with AI. Build enterprise-grade software.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
An OpenCode agent invokes the QA browser tool with `command_json`, or a user explicitly runs `optima-sanitize-host --host <host>`.
Impact
A permitted OpenCode agent can operate an authenticated browser session or run the sanitizer on a selected remote host; no install-time execution or foreign AI-agent configuration mutation was confirmed.
Mechanism
User- or agent-supplied browser script evaluation and explicit SSH subprocess execution.
Rationale
Read-only inspection resolves the earlier manual review. This is an OpenCode-focused agent platform with broad but runtime-gated capabilities: it registers package-owned OpenCode agents, controls a configured local Chrome DevTools session, and offers an explicit SSH sanitizer mode. The package has no npm install lifecycle trigger and inspection found no payload download/execution chain, credential exfiltration endpoint, persistence mechanism, or unconsented mutation of foreign/broad AI-agent control surfaces. The browser script and SSH capabilities remain risky enough for a warn-only agent capability review, but do not establish malware intent.
Evidence
package.jsonscripts/optima-sanitize-host.jsdist/index.jsdist/sanitize_cli.js.optima.local/share/opencode/opencode-optima
Network endpoints5
127.0.0.1:9223127.0.0.1:3001api.clickup.comapi.github.comchatgpt.com/

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` contains QA-browser helpers that execute a `command_json` script with `new Function` and can attach to a configured Chrome DevTools endpoint; the behavior is exposed through the package's OpenCode plugin runtime rather than an npm lifecycle script.
  • `dist/index.js` modifies OpenCode's in-memory plugin configuration to register Optima agents, may disable existing built-in agents, and sets `product_manager` as the default agent.
  • `dist/sanitize_cli.js` supports explicit `--host` execution through `ssh` and reads a local OpenCode SQLite database via a fixed Python helper; these are user-invoked CLI paths, not install-time behavior.
Evidence against
  • `package.json` declares no `preinstall`, `install`, or `postinstall` script, so npm installation does not invoke the CLI, browser controls, network clients, or filesystem mutations.
  • `scripts/optima-sanitize-host.js` only imports and invokes the shipped CLI when the user runs `npm run sanitize:host`; it does not run automatically on installation.
  • The inspected external endpoints are `api.clickup.com`, `api.github.com`, `chatgpt.com`, and local `127.0.0.1`/`localhost` OpenCode or Chrome DevTools services; no static evidence shows a third-party payload host, remote JavaScript download, credential exfiltration, or persistence.
  • Repository writes observed in `dist/index.js` target Optima/OpenCode project-local runtime and configuration paths such as `.optima` rather than foreign Claude, Codex, Cursor, or MCP control-surface files.
  • The dynamic browser and remote-host capabilities require runtime tool/CLI arguments and configured local services; inspected sources do not establish an unconsented automatic trigger.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.44 MB of source, external domains: 127.0.0.1, api.clickup.com, api.github.com, chatgpt.com, git-scm.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
8708import path3 from "node:path"; L8709: import { execFileSync } from "node:child_process"; L8710: function toGitPath(worktree, targetPath) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L8708
14319if (!script.trim()) return { ok: false, error: "script_required" }; L14320: const fn = new Function("page", "context", "browser", "artifactsDir", `return (async () => { L14321: ${script} ... L14327: } L14328: async function withQaBrowser({ provider = DEFAULT_QA_PROVIDER, cdpUrl = "", clickupTaskId = "", startUrl = "https://chatgpt.com/" } = {}, callback) { L14329: const chromium = await loadPlaywrightChromium(); L14330: const browser = await chromium.connectOverCDP(normalizeCdpUrl(cdpUrl), { L14331: timeout: Number(process.env.OPTIMA_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS || DEFAULT_QA_PLAYWRIGHT_CONNECT_TIMEOUT_MS) L14332: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L14319
13921const cdp = { send: (method, params = {}, options = {}) => session.send(method, params, options), evaluate: (expression, options = {}) => session.evaluate(expression, options) }; L13922: const fn = new Function("cdp", "target", "artifactsDir", "command", `return (async () => { L13923: ${script}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L13921
scripts/optima-sanitize-host.jsView file
9const cliPath = fs.existsSync(sourceCli) ? sourceCli : distCli; L10: const { main } = await import(cliPath); L11:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/optima-sanitize-host.jsView on unpkg · L9
dist/sanitize_cli.jsView file
2592Cross-file remote execution chain: dist/sanitize_cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2592: if (typeof node_buffer.Buffer === "function") { L2593: return node_buffer.Buffer.from(src, "base64"); L2594: } else if (typeof atob === "function") { ... L5197: yield* this.next(token); L5198: yield* this.end(forceDoc, endOffset); L5199: } ... L5201: *next(token) { L5202: if (node_process.env.LOG_STREAM) L5203: console.dir(token, { depth: null }); ... L7491: // WTF! L7492: // https://git-scm.com/docs/gitignore L7493: // changes in [2.22.1](https://git-scm.com/docs/gitignore/2.22.1)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/sanitize_cli.jsView on unpkg · L2592

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/sanitize_cli.js
MediumDynamic Requirescripts/optima-sanitize-host.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License