registry  /  opencode-swarm  /  7.107.0

opencode-swarm@7.107.0

⚠ Under review

Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review

Static Scan Results

scanned 13h ago · by rust-scanner

Static analysis flagged 22 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 43 file(s), 3.12 MB of source, external domains: 127.0.0.1, api.search.brave.com, api.tavily.com, github.com, json-schema.org, registry.npmjs.org
Oversized source lightweight scan
dist/index.js4.37 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsHighEntropyStringsMinifiedUrlStringsProtestwareapi.search.brave.comapi.tavily.comgithub.comregistry.npmjs.org

Source & flagged code

13 flagged · loading source
dist/cli/index-fhw0jm5c.jsView file
27038patternName = private_key_rsa severity = critical line = 27038 matchedText = redactTe...---"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli/index-fhw0jm5c.jsView on unpkg · L27038
matchType = previous_version_dangerous_delta matchedPackage = opencode-swarm@7.100.0 matchedIdentity = npm:b3BlbmNvZGUtc3dhcm0:7.100.0 similarity = 0.907 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index-fhw0jm5c.jsView on unpkg
27038patternName = private_key_rsa severity = critical line = 27038 matchedText = redactTe...---"
Critical
Secret Pattern

RSA private key in dist/cli/index-fhw0jm5c.js

dist/cli/index-fhw0jm5c.jsView on unpkg · L27038
181Cross-file remote execution chain: dist/cli/index-fhw0jm5c.js spawns dist/cli/index-8w4d325g.js; helper contains network access plus dynamic code execution. L181: // src/sandbox/linux/bubblewrap-executor.ts L182: import { spawnSync } from "child_process"; L183: function probeBwrap() { ... L199: } L200: return result.status === BWRAP_VERSION_EXIT && result.stdout.trim().length > 0; L201: } catch (err) { ... L379: constructor(scopePaths = [], tempDir) { L380: if (process.platform !== "darwin") { L381: throw new Error("MacOSSandboxExecutor not yet implemented"); ... L472: } L473: const encodedBase64Pattern = /-Enc(odedCommand)?\s+[A-Za-z0-9+/=]+/i; L474: if (encodedBase64Pattern.test(command)) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index-fhw0jm5c.jsView on unpkg · L181
181// src/sandbox/linux/bubblewrap-executor.ts L182: import { spawnSync } from "child_process"; L183: function probeBwrap() { ... L199: } L200: return result.status === BWRAP_VERSION_EXIT && result.stdout.trim().length > 0; L201: } catch (err) { ... L379: constructor(scopePaths = [], tempDir) { L380: if (process.platform !== "darwin") { L381: throw new Error("MacOSSandboxExecutor not yet implemented"); ... L472: } L473: const encodedBase64Pattern = /-Enc(odedCommand)?\s+[A-Za-z0-9+/=]+/i; L474: if (encodedBase64Pattern.test(command)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index-fhw0jm5c.jsView on unpkg · L181
dist/cli/index-8w4d325g.jsView file
1151"Check for XSS \u2014 all output must be escaped with htmlspecialchars()", L1152: "Confirm no eval(), exec(), or shell_exec() with user-controlled input", L1153: "Validate proper error handling \u2014 no bare catch blocks that swallow errors",
High
Child Process

Package source references child process execution.

dist/cli/index-8w4d325g.jsView on unpkg · L1151
87build: { L88: detectFiles: ["package.json"], L89: commands: [ ... L792: detect: "CMakeLists.txt", L793: cmd: "cppcheck --error-exitcode=1 .", L794: priority: 10 ... L1151: "Check for XSS \u2014 all output must be escaped with htmlspecialchars()", L1152: "Confirm no eval(), exec(), or shell_exec() with user-controlled input", L1153: "Validate proper error handling \u2014 no bare catch blocks that swallow errors", ... L1377: bigint: () => bigint2, L1378: base64url: () => base64url2, L1379: base64: () => base642,
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli/index-8w4d325g.jsView on unpkg · L87
dist/cli/index-v4fcn4tr.jsView file
387platform: "win32", L388: mechanism: "PowerShell wrapper", L389: error: `cmd.exe probe failed: ${result.error.code}`
High
Shell

Package source references shell execution.

dist/cli/index-v4fcn4tr.jsView on unpkg · L387
dist/cli/index-wa6at603.jsView file
419{ L420: let probe = seg.replace(/^(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)+/, "").replace(/^eval(?:\s+--)?\s+["']?/, "").replace(/["']\s*$/, "").replace(/^\$\(\s*/, "").replace(/^\(\s*/, "").repl... L421: for (let i = 0;i < 4; i++) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/index-wa6at603.jsView on unpkg · L419
dist/lang/grammars/tree-sitter-go.wasmView file
path = dist/lang/grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/lang/grammars/tree-sitter-go.wasmView on unpkg
.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView file
path = .opencode/skills/codebase-review-swarm/scripts/init-review-run.py kind = payload_in_excluded_dir sizeBytes = 4410 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView on unpkg
path = .opencode/skills/codebase-review-swarm/scripts/init-review-run.py kind = build_helper sizeBytes = 4410 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView on unpkg
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 4585355 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg

Findings

3 Critical6 High6 Medium7 Low
CriticalCritical Secretdist/cli/index-fhw0jm5c.js
CriticalPrevious Version Dangerous Deltadist/cli/index-fhw0jm5c.js
CriticalSecret Patterndist/cli/index-fhw0jm5c.js
HighChild Processdist/cli/index-8w4d325g.js
HighShelldist/cli/index-v4fcn4tr.js
HighObfuscated Payload Loaderdist/cli/index-8w4d325g.js
HighCross File Remote Execution Contextdist/cli/index-fhw0jm5c.js
HighPayload In Excluded Dir.opencode/skills/codebase-review-swarm/scripts/init-review-run.py
HighOversized Source Filedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/lang/grammars/tree-sitter-go.wasm
MediumShips Build Helper.opencode/skills/codebase-review-swarm/scripts/init-review-run.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/index-wa6at603.js
LowWeak Cryptodist/cli/index-fhw0jm5c.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings