registry  /  opencode-fractal-memory  /  0.6.41

opencode-fractal-memory@0.6.41

Fractal memory system for OpenCode with semantic search and automatic compression.

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 213 file(s), 1.91 MB of source, external domains: 127.0.0.1, cdnjs.cloudflare.com, huggingface.co, raw.githubusercontent.com, www.w3.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
management/public/d3.min.jsView file
1// https://d3js.org v7.9.0 Copyright 2010-2023 Mike Bostock L2: !function(t,n){"object"==typeof exports&&"undefined"!=typeof module?n(exports):"function"==typeof define&&define.amd?define(["exports"],n):n((t="undefined"!=typeof globalThis?globa...
Low
Eval

Package source references a known benign dynamic code generation pattern.

management/public/d3.min.jsView on unpkg · L1
scripts/opencode-backup.shView file
path = scripts/opencode-backup.sh kind = build_helper sizeBytes = 1629 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/opencode-backup.shView on unpkg
dist/management-server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = opencode-fractal-memory@0.6.40 matchedIdentity = npm:b3BlbmNvZGUtZnJhY3RhbC1tZW1vcnk:0.6.40 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/management-server.jsView on unpkg

Findings

2 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/management-server.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/opencode-backup.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalmanagement/public/d3.min.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings