registry  /  @polderlabs/bizar  /  4.4.11

@polderlabs/bizar@4.4.11

Norse-pantheon multi-agent system for opencode — 13 agents across 4 cost tiers with cost-aware routing, plans, and a configurable agent harness. v4 ships as a single npm package bundling the dashboard server, opencode plugin, and typed SDK.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an opencode agent platform that auto-runs setup on first non-help CLI invocation and writes Bizar agents/plugins/config into opencode directories. This is agent-control-surface mutation, but it is package-aligned and user-invoked rather than npm lifecycle triggered.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running the bizar CLI, especially first run, install, update, service, or mod commands
Impact
Can modify opencode configuration, install bundled agent/plugin files, install helper tools, and register/update Bizar services when user invokes provisioning commands.
Mechanism
first-run setup and provisioner copy/patch opencode agent extension files
Policy narrative
On first meaningful CLI use, cli/bin.mjs calls ensureSetup, which invokes runPostInstall if opencode markers are missing. That setup writes package-supplied agents, commands, opencode.json, and plugins into opencode config locations and may install supporting tools. Because this behavior is aligned with the package's stated opencode agent-platform purpose and is not an npm lifecycle hook, it is a guarded agent extension risk rather than confirmed malware.
Rationale
Source inspection shows broad agent extension setup into opencode control surfaces, but no install-time npm hook, import-time payload, credential theft, exfiltration, obfuscation, or destructive behavior. The residual risk is user-invoked first-party agent platform mutation, so warn rather than block.
Evidence
package.jsoncli/bin.mjscli/bootstrap.mjscli/install.mjscli/provision.mjscli/copy.mjsbizar-dash/src/server/mods-loader.mjsbizar-dash/src/server/update-store.mjs~/.config/opencode/opencode.json~/.config/opencode/plugins/bizar~/.config/opencode/agents/*.md~/.config/opencode/command~/.config/opencode/commands~/.config/opencode/skill~/.config/opencode/skills~/.config/bizar/service.pid~/.config/bizar/dashboard.pid~/.config/bizar/dashboard.port
Network endpoints4
raw.githubusercontent.com/DrB0rk/bizar-mods/main/registry.jsonastral.sh/uv/install.shdocs.astral.sh/uv127.0.0.1:<port>

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli/bin.mjs calls ensureSetup on most first CLI invocations before dispatch.
  • cli/bootstrap.mjs uses missing ~/.config/opencode markers to run runPostInstall.
  • cli/install.mjs runPostInstall copies agents, commands, opencode.json, and plugin into opencode config.
  • cli/install.mjs may install/configure headroom, semble, skills via pip/npm/curl/uv when setup runs.
  • cli/provision.mjs can patch ~/.config/opencode/opencode.json and copy plugins/bizar to ~/.config/opencode/plugins/bizar.
  • cli/provision.mjs update/install paths can install global npm packages and register service via install.sh.
Evidence against
  • package.json has no install/postinstall hook; only prepublishOnly build script.
  • Network and package-manager use is tied to user-invoked CLI setup/update/mod actions, not import-time execution.
  • No credential harvesting or exfiltration found in inspected entrypoints.
  • Dashboard mod registry defaults to GitHub raw URL and is invoked through bizar mod/dashboard APIs.
  • Plugin/control-surface writes are package-aligned for an opencode agent platform.
  • No obfuscated payload, destructive logic, or remote code execution on package import found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
WildcardDependency
scanned 339 file(s), 5.24 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.cohere.com, api.deepseek.com, api.groq.com, api.minimax.chat, api.mistral.ai, api.openai.com, astral.sh, docs.astral.sh, example.com, generativelanguage.googleapis.com, github.com, gitlab.com, json-schema.org, mcp.example.com, minimax.io, obsidian.md, opencode.ai, openrouter.ai, raw.githubusercontent.com, reactjs.org, www.apple.com, www.w3.org

Source & flagged code

31 flagged · loading source
bizar-dash/tests/memory-sync.test.mjsView file
107patternName = aws_access_key severity = critical line = 107 matchedText = body: 'A...ey',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bizar-dash/tests/memory-sync.test.mjsView on unpkg · L107
107patternName = aws_access_key severity = critical line = 107 matchedText = body: 'A...ey',
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-sync.test.mjs

bizar-dash/tests/memory-sync.test.mjsView on unpkg · L107
12import { mkdirSync, rmSync, writeFileSync, existsSync, readFileSync } from 'node:fs'; L13: import { execSync } from 'node:child_process'; L14:
High
Child Process

Package source references child process execution.

bizar-dash/tests/memory-sync.test.mjsView on unpkg · L12
bizar-dash/src/server/browser.mjsView file
18} else if (platform === 'win32') { L19: // Windows `start` is a shell builtin; spawn it via cmd.exe. L20: cmd = 'cmd';
High
Shell

Package source references shell execution.

bizar-dash/src/server/browser.mjsView on unpkg · L18
templates/plan/htmx.min.jsView file
1var htmx=function(){"use strict";const Q={onLoad:null,process:null,on:null,off:null,trigger:null,ajax:null,find:null,findAll:null,closest:null,values:function(e,t){const n=cn(e,t||...
Low
Eval

Package source references a known benign dynamic code generation pattern.

templates/plan/htmx.min.jsView on unpkg · L1
bizar-dash/tests/mod-instructions.node.test.mjsView file
28// Import AFTER HOME is set so the loader resolves constants correctly. L29: const loaderModule = await import(LOADER); L30: const { modsLoader } = loaderModule;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bizar-dash/tests/mod-instructions.node.test.mjsView on unpkg · L28
bizar-dash/src/server/routes/activity.mjsView file
25L26: const HIDDEN_PATH = join(homedir(), '.cache', 'bizar', 'activity-hidden.json'); L27: ... L30: try { L31: return JSON.parse(readFileSync(HIDDEN_PATH, 'utf8')); L32: } catch { ... L80: // POST /activity/hide — add keys to hidden list L81: router.post('/activity/hide', wrap(async (req, res) => { L82: const keys = Array.isArray(req.body?.keys) ? req.body.keys : [];
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bizar-dash/src/server/routes/activity.mjsView on unpkg · L25
cli/service-controller.mjsView file
23* secrets come from a 0600 env file (`~/.config/bizar/service.env`). L24: * * All process spawning uses `spawnSync(command, args, {shell: false})` L25: * with explicit arg arrays. There is no string concatenation into a ... L43: const __filename = fileURLToPath(import.meta.url); L44: const __dirname = dirname(__filename); L45: const HOME = homedir(); ... L51: if (PLATFORM === 'win32') { L52: return process.env.APPDATA L53: ? join(process.env.APPDATA, 'bizar') ... L78: * Run an external command with explicit arg array. No shell. Strict 15s budget. L79: * Returns {status, stdout, stderr, error} where `status` is the exit code L80: * (or null on spawn failure) and `error` is a non-null Error object only when
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

cli/service-controller.mjsView on unpkg · L23
bizar-dash/src/server/schedules-runner.mjsView file
18*/ L19: import { spawn } from 'node:child_process'; L20: import { writeFileSync, appendFileSync, mkdirSync } from 'node:fs'; ... L22: import { homedir } from 'node:os'; L23: import { isIP } from 'node:net'; L24: import { projectsStore } from './projects-store.mjs'; ... L29: const LOG_FILE = join(LOG_DIR, 'service.log'); L30: const ALLOW_PRIVATE_WEBHOOKS = process.env.BIZAR_DASHBOARD_ALLOW_PRIVATE_WEBHOOKS === '1'; L31: const SHELL_META = /[;&|`$<>\n\r]/;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bizar-dash/src/server/schedules-runner.mjsView on unpkg · L18
cli/bin.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @polderlabs/bizar@4.4.3 matchedIdentity = npm:QHBvbGRlcmxhYnMvYml6YXI:4.4.3 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/bin.mjsView on unpkg
802// Chromium with remote debugging so the browser-harness Python tool L803: // (from https://github.com/browser-use/browser-harness) can connect. L804: const { execFileSync } = await import('node:child_process'); L805: const sub = args[1] || 'start'; ... L811: }); L812: if (out) process.stdout.write(out); L813: } catch (err) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

cli/bin.mjsView on unpkg · L802
cli/copy.mjsView file
80L81: const skillsDir = join(homedir(), '.opencode', 'skills'); L82: const dstDir = join(skillsDir, name); ... L124: let templateObj; L125: try { templateObj = JSON.parse(templateRaw); } catch { L126: spinner.fail(chalk.red('Invalid opencode.json template')); ... L344: export async function installHeadroom() { L345: const { execSync } = await import('node:child_process'); L346: ... L360: L361: if (process.platform === 'win32') { L362: spinner.fail(chalk.red('Automatic Headroom install not supported on Windows. Install manually: pip install "headroom-ai[all]"'));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

cli/copy.mjsView on unpkg · L80
bizar-dash/src/server/update-store.mjsView file
77try { L78: const output = execSync( L79: `npm install -g ${p.name}@latest --ignore-scripts`, L80: {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bizar-dash/src/server/update-store.mjsView on unpkg · L77
config/skills/embedded-esp-idf/scripts/size_check.shView file
path = config/skills/embedded-esp-idf/scripts/size_check.sh kind = build_helper sizeBytes = 2452 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

config/skills/embedded-esp-idf/scripts/size_check.shView on unpkg
package.jsonView file
scripts changed=test:sdk,test:sdk:watch
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
bizar-dash/tests/memory-secrets.test.mjsView file
19patternName = aws_access_key severity = critical line = 19 matchedText = const re...E');
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L19
25patternName = github_pat severity = critical line = 25 matchedText = const re...D');
Critical
Secret Pattern

GitHub personal access token in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L25
31patternName = stripe_live_secret severity = critical line = 31 matchedText = const re...p');
Critical
Secret Pattern

Stripe live secret key in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L31
37patternName = slack_bot_token severity = critical line = 37 matchedText = const re...x');
Critical
Secret Pattern

Slack bot token in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L37
43patternName = private_key_rsa severity = critical line = 43 matchedText = const re...-');
Critical
Secret Pattern

RSA private key in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L43
92patternName = aws_access_key severity = critical line = 92 matchedText = const te...ee';
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L92
99patternName = aws_access_key severity = critical line = 99 matchedText = const re...E');
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L99
bizar-dash/tests/memory-store.test.mjsView file
219patternName = aws_access_key severity = critical line = 219 matchedText = body: 'A...ey',
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-store.test.mjs

bizar-dash/tests/memory-store.test.mjsView on unpkg · L219
bizar-dash/tests/memory-cli.test.mjsView file
231patternName = aws_access_key severity = critical line = 231 matchedText = '--body'...ey',
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-cli.test.mjs

bizar-dash/tests/memory-cli.test.mjsView on unpkg · L231
bizar-dash/scripts/smoke-bg-retry.mjsView file
45patternName = generic_password severity = medium line = 45 matchedText = const in...' };
Medium
Secret Pattern

Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs

bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L45
53patternName = generic_password severity = medium line = 53 matchedText = const in...' };
Medium
Secret Pattern

Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs

bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L53
65patternName = generic_password severity = medium line = 65 matchedText = password...st',
Medium
Secret Pattern

Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs

bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L65
plugins/bizar/tests/http-client.test.tsView file
51patternName = generic_password severity = medium line = 51 matchedText = construc...") {
Medium
Secret Pattern

Hardcoded password in plugins/bizar/tests/http-client.test.ts

plugins/bizar/tests/http-client.test.tsView on unpkg · L51
plugins/bizar/tests/serve.test.tsView file
70patternName = generic_password severity = medium line = 70 matchedText = this.pas...rd";
Medium
Secret Pattern

Hardcoded password in plugins/bizar/tests/serve.test.ts

plugins/bizar/tests/serve.test.tsView on unpkg · L70
plugins/bizar/src/serve-info.tsView file
24patternName = generic_password severity = medium line = 24 matchedText = * ...4>",
Medium
Secret Pattern

Hardcoded password in plugins/bizar/src/serve-info.ts

plugins/bizar/src/serve-info.tsView on unpkg · L24
packages/sdk/tests/client.test.tsView file
23patternName = generic_password severity = medium line = 23 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in packages/sdk/tests/client.test.ts

packages/sdk/tests/client.test.tsView on unpkg · L23

Findings

13 Critical6 High14 Medium7 Low
CriticalCritical Secretbizar-dash/tests/memory-sync.test.mjs
CriticalManifest Confusionpackage.json
CriticalPrevious Version Dangerous Deltacli/bin.mjs
CriticalSecret Patternbizar-dash/tests/memory-sync.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-store.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-cli.test.mjs
HighChild Processbizar-dash/tests/memory-sync.test.mjs
HighShellbizar-dash/src/server/browser.mjs
HighSame File Env Network Executionbizar-dash/src/server/schedules-runner.mjs
HighCommand Output Exfiltrationcli/bin.mjs
HighSandbox Evasion Gated Capabilitycli/copy.mjs
HighRuntime Package Installbizar-dash/src/server/update-store.mjs
MediumDynamic Requirebizar-dash/tests/mod-instructions.node.test.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencecli/service-controller.mjs
MediumShips Build Helperconfig/skills/embedded-esp-idf/scripts/size_check.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumSecret Patternbizar-dash/scripts/smoke-bg-retry.mjs
MediumSecret Patternbizar-dash/scripts/smoke-bg-retry.mjs
MediumSecret Patternbizar-dash/scripts/smoke-bg-retry.mjs
MediumSecret Patternplugins/bizar/tests/http-client.test.ts
MediumSecret Patternplugins/bizar/tests/serve.test.ts
MediumSecret Patternplugins/bizar/src/serve-info.ts
MediumSecret Patternpackages/sdk/tests/client.test.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaltemplates/plan/htmx.min.js
LowWeak Cryptobizar-dash/src/server/routes/activity.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings