Security Finding: Pair Token Exposed via CLI Argument
Severity: Medium
Component: opencode-push CLI
Description
The pair token is passed as a command-line argument when running opencode-push pair --pair <token> or opencode-push install --pair <token>.
This causes the token to be:
- Visible in process listings (
ps aux will show the token)
- Stored in shell history (
.bash_history, .zsh_history, etc.)
- Leaked to log files if command logging is enabled
Impact
- Any local user with access to shell history can retrieve the pair token
- Shared systems expose the token to other users
- CI/CD systems may log commands and expose the token
Evidence
From cmd.js:
if (arg === "--pair") {
const next = args[i + 1];
if (next) {
opts.pair = next; // Token stored as plain string in memory
i += 1;
}
continue;
}README example shows:
opencode-push pair --pair <token>
Recommendation
Use environment variables or stdin for token input:
# Preferred: environment variable
WHISPEROPENCODE_PAIR_TOKEN=xxx opencode-push pair
# Alternative: stdin
echo "xxx" | opencode-push pair --pair -
Document that users should treat pair tokens like passwords.
References
- File:
dist/src/cmd.js (parse function, line 205-211)
Security Finding: Pair Token Exposed via CLI Argument
Severity: Medium
Component:
opencode-pushCLIDescription
The pair token is passed as a command-line argument when running
opencode-push pair --pair <token>oropencode-push install --pair <token>.This causes the token to be:
ps auxwill show the token).bash_history,.zsh_history, etc.)Impact
Evidence
From
cmd.js:README example shows:
Recommendation
Use environment variables or stdin for token input:
Document that users should treat pair tokens like passwords.
References
dist/src/cmd.js(parse function, line 205-211)