registry  /  @polderlabs/bizar  /  5.2.0

@polderlabs/bizar@5.2.0

Norse-pantheon multi-agent system for opencode — 13 agents across 4 cost tiers with cost-aware routing, plans, and a configurable agent harness. v4 ships as a single npm package bundling the dashboard server, opencode plugin, and typed SDK.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an opencode agent/plugin installer that can modify the user's opencode control surface on first CLI use. This is package-aligned but occurs silently for most bin commands if markers are absent, so it is a lifecycle risk rather than confirmed malware.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running the bizar CLI without help/version/check and without BIZAR_SKIP_INSTALL when setup markers are missing.
Impact
Adds Bizar agents, commands, plugin files, and opencode.json plugin entry; may install auxiliary tools globally or in user Python tooling.
Mechanism
first-party opencode agent/plugin setup and optional tool installation
Rationale
Static inspection shows first-party opencode extension setup and global helper installs, but no unconsented npm lifecycle mutation, credential theft, destructive action, or remote payload execution. Treat as agent extension lifecycle risk and warn rather than block.
Evidence
package.jsoncli/bin.mjscli/bootstrap.mjscli/install.mjscli/provision.mjscli/copy.mjsbizar-dash/src/server/update-store.mjsbizar-dash/src/web/components/PluginPermissions.tsxbizar-dash/tests/memory-sync.test.mjs~/.config/opencode/opencode.json~/.config/opencode/agents/*.md~/.config/opencode/plugins/bizar/~/.config/opencode/commands-bizar/~/.opencode/skills/
Network endpoints5
astral.sh/uv/install.shastral.sh/uv/install.ps1deb.nodesource.com/setup_20.xrpm.nodesource.com/pub_20.x/nodesource-release-nodesource-1.noarch.rpmraw.githubusercontent.com/Homebrew/install/HEAD/install.sh

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli/bin.mjs calls ensureSetup on most bin invocations when setup markers are missing.
  • cli/bootstrap.mjs setup markers target opencode agents and plugins under user config.
  • cli/install.mjs runPostInstall copies agents, commands, plugin, and opencode.json into opencode config.
  • cli/provision.mjs patchOpencodeJson adds ./plugins/bizar/index.ts plugin entry to ~/.config/opencode/opencode.json.
  • cli/install.mjs can install Headroom, Semble, Skills CLI, and skill packs via pip/npm/curl/uv/skills.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hook; only prepublishOnly build.
  • PluginPermissions.tsx only renders permission labels; no dangerous behavior.
  • update-store.mjs updates first-party @polderlabs packages with --ignore-scripts from explicit dashboard update flow.
  • memory-sync.test.mjs contains a test AWS-looking key used to assert secret blocking.
  • No credential harvesting or external exfiltration endpoint found in inspected runtime paths.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 569 file(s), 6.86 MB of source, external domains: 127.0.0.1, ai.google.dev, api.anthropic.com, api.cloudflare.com, api.cohere.ai, api.cohere.com, api.deepseek.com, api.groq.com, api.minimax.chat, api.minimax.io, api.mistral.ai, api.openai.com, api.vercel.com, astral.sh, bizar-plugins.bork.deno.net, console.groq.com, custom.example.com, dash.cloudflare.com, docs.anthropic.com, docs.astral.sh, docs.cohere.com, docs.mistral.ai, example.com, fly.io, generativelanguage.googleapis.com, github.com, gitlab.com, json-schema.org, lmstudio.ai, minimax.io, obsidian.md, ollama.com, opencode.ai, openrouter.ai, platform.deepseek.com, platform.minimax.io, platform.openai.com, raw.githubusercontent.com, reactjs.org, tailscale.com, www.apple.com, www.minimax.io, www.w3.org

Source & flagged code

30 flagged · loading source
bizar-dash/tests/memory-sync.test.mjsView file
107patternName = aws_access_key severity = critical line = 107 matchedText = body: 'A...ey',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bizar-dash/tests/memory-sync.test.mjsView on unpkg · L107
107patternName = aws_access_key severity = critical line = 107 matchedText = body: 'A...ey',
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-sync.test.mjs

bizar-dash/tests/memory-sync.test.mjsView on unpkg · L107
bizar-dash/tests/plugins-sandbox.test.mjsView file
5* - Allowed globals are present L6: * - Forbidden globals (process, require, child_process, raw fs, L7: * Buffer) are NOT present in the plugin's vm scope
High
Child Process

Package source references child process execution.

bizar-dash/tests/plugins-sandbox.test.mjsView on unpkg · L5
24const REPO = resolve(dirname(fileURLToPath(import.meta.url)), '..'); L25: const SANDBOX = await import(resolve(REPO, 'src/server/plugins/sandbox.mjs')); L26:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bizar-dash/tests/plugins-sandbox.test.mjsView on unpkg · L24
bizar-dash/src/server/browser.mjsView file
18} else if (platform === 'win32') { L19: // Windows `start` is a shell builtin; spawn it via cmd.exe. L20: cmd = 'cmd';
High
Shell

Package source references shell execution.

bizar-dash/src/server/browser.mjsView on unpkg · L18
templates/plan/htmx.min.jsView file
1var htmx=function(){"use strict";const Q={onLoad:null,process:null,on:null,off:null,trigger:null,ajax:null,find:null,findAll:null,closest:null,values:function(e,t){const n=cn(e,t||...
Low
Eval

Package source references a known benign dynamic code generation pattern.

templates/plan/htmx.min.jsView on unpkg · L1
bizar-dash/src/server/routes/activity.mjsView file
25L26: const HIDDEN_PATH = join(homedir(), '.cache', 'bizar', 'activity-hidden.json'); L27: ... L30: try { L31: return JSON.parse(readFileSync(HIDDEN_PATH, 'utf8')); L32: } catch { ... L80: // POST /activity/hide — add keys to hidden list L81: router.post('/activity/hide', wrap(async (req, res) => { L82: const keys = Array.isArray(req.body?.keys) ? req.body.keys : [];
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bizar-dash/src/server/routes/activity.mjsView on unpkg · L25
cli/service-controller.mjsView file
23* secrets come from a 0600 env file (`~/.config/bizar/service.env`). L24: * * All process spawning uses `spawnSync(command, args, {shell: false})` L25: * with explicit arg arrays. There is no string concatenation into a ... L44: const __filename = fileURLToPath(import.meta.url); L45: const __dirname = dirname(__filename); L46: const HOME = homedir(); ... L52: if (PLATFORM === 'win32') return null; L53: return process.env.XDG_CONFIG_HOME L54: ? join(process.env.XDG_CONFIG_HOME, 'systemd', 'user') ... L68: * Run an external command with explicit arg array. No shell. Strict 15s budget. L69: * Returns {status, stdout, stderr, error} where `status` is the exit code L70: * (or null on spawn failure) and `error` is a non-null Error object only when
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

cli/service-controller.mjsView on unpkg · L23
bizar-dash/src/server/schedules-runner.mjsView file
18*/ L19: import { spawn } from 'node:child_process'; L20: import { writeFileSync, appendFileSync, mkdirSync } from 'node:fs'; ... L22: import { homedir } from 'node:os'; L23: import { isIP } from 'node:net'; L24: import { projectsStore } from './projects-store.mjs'; ... L30: const LOG_FILE = join(LOG_DIR, 'service.log'); L31: const ALLOW_PRIVATE_WEBHOOKS = process.env.BIZAR_DASHBOARD_ALLOW_PRIVATE_WEBHOOKS === '1'; L32: const SHELL_META = /[;&|`$<>\n\r]/;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bizar-dash/src/server/schedules-runner.mjsView on unpkg · L18
cli/copy.mjsView file
80L81: const skillsDir = join(homedir(), '.opencode', 'skills'); L82: const dstDir = join(skillsDir, name); ... L124: let templateObj; L125: try { templateObj = JSON.parse(templateRaw); } catch { L126: spinner.fail(chalk.red('Invalid opencode.json template')); ... L344: export async function installHeadroom() { L345: const { execSync } = await import('node:child_process'); L346: ... L360: L361: if (process.platform === 'win32') { L362: spinner.fail(chalk.red('Automatic Headroom install not supported on Windows. Install manually: pip install "headroom-ai[all]"'));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

cli/copy.mjsView on unpkg · L80
bizar-dash/src/server/update-store.mjsView file
77try { L78: const output = execSync( L79: `npm install -g ${p.name}@latest --ignore-scripts`, L80: {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bizar-dash/src/server/update-store.mjsView on unpkg · L77
config/skills/embedded-esp-idf/scripts/size_check.shView file
path = config/skills/embedded-esp-idf/scripts/size_check.sh kind = build_helper sizeBytes = 2452 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

config/skills/embedded-esp-idf/scripts/size_check.shView on unpkg
package.jsonView file
scripts changed=test:sdk,test:sdk:watch
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
bizar-dash/src/web/components/PluginPermissions.tsxView file
matchType = previous_version_dangerous_delta matchedPackage = @polderlabs/bizar@5.0.2 matchedIdentity = npm:QHBvbGRlcmxhYnMvYml6YXI:5.0.2 similarity = 0.842 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bizar-dash/src/web/components/PluginPermissions.tsxView on unpkg
bizar-dash/tests/memory-secrets.test.mjsView file
19patternName = aws_access_key severity = critical line = 19 matchedText = const re...E');
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L19
25patternName = github_pat severity = critical line = 25 matchedText = const re...D');
Critical
Secret Pattern

GitHub personal access token in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L25
31patternName = stripe_live_secret severity = critical line = 31 matchedText = const re...p');
Critical
Secret Pattern

Stripe live secret key in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L31
37patternName = slack_bot_token severity = critical line = 37 matchedText = const re...x');
Critical
Secret Pattern

Slack bot token in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L37
43patternName = private_key_rsa severity = critical line = 43 matchedText = const re...-');
Critical
Secret Pattern

RSA private key in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L43
92patternName = aws_access_key severity = critical line = 92 matchedText = const te...ee';
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L92
99patternName = aws_access_key severity = critical line = 99 matchedText = const re...E');
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-secrets.test.mjs

bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L99
bizar-dash/tests/memory-store.test.mjsView file
219patternName = aws_access_key severity = critical line = 219 matchedText = body: 'A...ey',
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-store.test.mjs

bizar-dash/tests/memory-store.test.mjsView on unpkg · L219
bizar-dash/tests/memory-cli.test.mjsView file
231patternName = aws_access_key severity = critical line = 231 matchedText = '--body'...ey',
Critical
Secret Pattern

AWS access key ID in bizar-dash/tests/memory-cli.test.mjs

bizar-dash/tests/memory-cli.test.mjsView on unpkg · L231
bizar-dash/scripts/smoke-bg-retry.mjsView file
45patternName = generic_password severity = medium line = 45 matchedText = const in...' };
Medium
Secret Pattern

Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs

bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L45
53patternName = generic_password severity = medium line = 53 matchedText = const in...' };
Medium
Secret Pattern

Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs

bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L53
65patternName = generic_password severity = medium line = 65 matchedText = password...st',
Medium
Secret Pattern

Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs

bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L65
plugins/bizar/tests/http-client.test.tsView file
51patternName = generic_password severity = medium line = 51 matchedText = construc...") {
Medium
Secret Pattern

Hardcoded password in plugins/bizar/tests/http-client.test.ts

plugins/bizar/tests/http-client.test.tsView on unpkg · L51
plugins/bizar/tests/serve.test.tsView file
70patternName = generic_password severity = medium line = 70 matchedText = this.pas...rd";
Medium
Secret Pattern

Hardcoded password in plugins/bizar/tests/serve.test.ts

plugins/bizar/tests/serve.test.tsView on unpkg · L70
plugins/bizar/src/serve-info.tsView file
24patternName = generic_password severity = medium line = 24 matchedText = * ...4>",
Medium
Secret Pattern

Hardcoded password in plugins/bizar/src/serve-info.ts

plugins/bizar/src/serve-info.tsView on unpkg · L24
packages/sdk/tests/client.test.tsView file
23patternName = generic_password severity = medium line = 23 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in packages/sdk/tests/client.test.ts

packages/sdk/tests/client.test.tsView on unpkg · L23

Findings

13 Critical5 High14 Medium8 Low
CriticalCritical Secretbizar-dash/tests/memory-sync.test.mjs
CriticalManifest Confusionpackage.json
CriticalPrevious Version Dangerous Deltabizar-dash/src/web/components/PluginPermissions.tsx
CriticalSecret Patternbizar-dash/tests/memory-sync.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-secrets.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-store.test.mjs
CriticalSecret Patternbizar-dash/tests/memory-cli.test.mjs
HighChild Processbizar-dash/tests/plugins-sandbox.test.mjs
HighShellbizar-dash/src/server/browser.mjs
HighSame File Env Network Executionbizar-dash/src/server/schedules-runner.mjs
HighSandbox Evasion Gated Capabilitycli/copy.mjs
HighRuntime Package Installbizar-dash/src/server/update-store.mjs
MediumDynamic Requirebizar-dash/tests/plugins-sandbox.test.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencecli/service-controller.mjs
MediumShips Build Helperconfig/skills/embedded-esp-idf/scripts/size_check.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumSecret Patternbizar-dash/scripts/smoke-bg-retry.mjs
MediumSecret Patternbizar-dash/scripts/smoke-bg-retry.mjs
MediumSecret Patternbizar-dash/scripts/smoke-bg-retry.mjs
MediumSecret Patternplugins/bizar/tests/http-client.test.ts
MediumSecret Patternplugins/bizar/tests/serve.test.ts
MediumSecret Patternplugins/bizar/src/serve-info.ts
MediumSecret Patternpackages/sdk/tests/client.test.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaltemplates/plan/htmx.min.js
LowWeak Cryptobizar-dash/src/server/routes/activity.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings