registry  /  @postman-cse/opencode-cse-tools  /  0.26.1

@postman-cse/opencode-cse-tools@0.26.1

OpenCode plugin for Postman CSE Tools: injects the local cse MCP server in every directory, syncs the CSE skill set into the global OpenCode skills dir, and provisions the signed cse-toold daemon. Install globally and it just works, no per-project config.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 14 file(s), 151 KB of source, external domains: 127.0.0.1, api.linear.app, auth.openai.com

Source & flagged code

5 flagged · loading source
index.jsView file
32import path from "node:path" L33: import { spawn } from "node:child_process" L34:
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L32
113package = @postman-cse/opencode-cse-tools; repositoryIdentity = cse-tools; dependency = @postman-cse/cse-toold L113: try { L114: const { resolveCoreBinary } = require("@postman-cse/cse-toold") L115: return resolveCoreBinary()
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

index.jsView on unpkg · L113
skills/cse-sweep/scripts/lib/cse-tools.mjsView file
136// eslint-disable-next-line no-new-func L137: const fn = new Function("tools", "Promise", "JSON", "Math", "Date", "Object", "Array", "String", "Number", "Boolean", L138: `return (async () => {\n${code}\n})()`);
Low
Eval

Package source references a known benign dynamic code generation pattern.

skills/cse-sweep/scripts/lib/cse-tools.mjsView on unpkg · L136
skills/cse-linear-jsp/scripts/linear-jsp.mjsView file
23function apiKey() { L24: if (process.env.LINEAR_API_KEY) return process.env.LINEAR_API_KEY.trim(); L25: try { L26: return execFileSync("security", ["find-generic-password", "-s", "cse-linear-api-key", "-w"], { encoding: "utf8" }).trim(); L27: } catch { ... L36: try { L37: r = await fetch("https://api.linear.app/graphql", { L38: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

skills/cse-linear-jsp/scripts/linear-jsp.mjsView on unpkg · L23
agents/shared/skill-bootstrap.shView file
path = agents/shared/sk[redacted] kind = build_helper sizeBytes = 2319 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

agents/shared/skill-bootstrap.shView on unpkg

Findings

4 High4 Medium7 Low
HighChild Processindex.js
HighShell
HighSame File Env Network Executionskills/cse-linear-jsp/scripts/linear-jsp.mjs
HighCopied Package Dependency Bridgeindex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperagents/shared/skill-bootstrap.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalskills/cse-sweep/scripts/lib/cse-tools.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License