registry  /  opencode-swarm  /  7.114.0

opencode-swarm@7.114.0

Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 64 file(s), 3.46 MB of source, external domains: 127.0.0.1, api.search.brave.com, api.tavily.com, github.com, json-schema.org, registry.npmjs.org
Oversized source lightweight scan
dist/index.js4.57 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsHighEntropyStringsMinifiedUrlStringsProtestwareapi.search.brave.comapi.tavily.comgithub.comregistry.npmjs.org

Source & flagged code

12 flagged · loading source
dist/cli/index-zezjy05g.jsView file
25361patternName = private_key_rsa severity = critical line = 25361 matchedText = redactTe...---"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli/index-zezjy05g.jsView on unpkg · L25361
25361patternName = private_key_rsa severity = critical line = 25361 matchedText = redactTe...---"
Critical
Secret Pattern

RSA private key in dist/cli/index-zezjy05g.js

dist/cli/index-zezjy05g.jsView on unpkg · L25361
18901"tree-sitter-dart.wasm", L18902: "tree-sitter-powershell.wasm", L18903: "tree-sitter-ini.wasm",
High
Shell

Package source references shell execution.

dist/cli/index-zezjy05g.jsView on unpkg · L18901
349Cross-file remote execution chain: dist/cli/index-zezjy05g.js spawns dist/cli/index-ga4ta3cr.js; helper contains network access plus dynamic code execution. L349: try { L350: const maybeGates = JSON.parse(row.gates); L351: if (maybeGates && typeof maybeGates === "object" && !Array.isArray(maybeGates)) { ... L479: bunSpawn, L480: platform: process.platform, L481: sleep: (ms) => new Promise((resolve2) => setTimeout(resolve2, ms)), ... L491: stdin: "ignore", L492: stdout: "pipe", L493: stderr: "pipe", L494: env: { ...process.env, LC_ALL: "C" } L495: }); ... L662: dense: 0.4,
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index-zezjy05g.jsView on unpkg · L349
349try { L350: const maybeGates = JSON.parse(row.gates); L351: if (maybeGates && typeof maybeGates === "object" && !Array.isArray(maybeGates)) { ... L479: bunSpawn, L480: platform: process.platform, L481: sleep: (ms) => new Promise((resolve2) => setTimeout(resolve2, ms)), ... L491: stdin: "ignore", L492: stdout: "pipe", L493: stderr: "pipe", L494: env: { ...process.env, LC_ALL: "C" } L495: }); ... L662: dense: 0.4,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index-zezjy05g.jsView on unpkg · L349
dist/cli/index-dqh3zhhc.jsView file
2// src/background/workspace-snapshot.ts L3: import * as child_process from "child_process"; L4: import { createHash } from "crypto";
High
Child Process

Package source references child process execution.

dist/cli/index-dqh3zhhc.jsView on unpkg · L2
dist/cli/index-jhdv0jdf.jsView file
419{ L420: let probe = seg.replace(/^(?:[A-Za-z_][A-Za-z0-9_]*=\S+\s+)+/, "").replace(/^eval(?:\s+--)?\s+["']?/, "").replace(/["']\s*$/, "").replace(/^\$\(\s*/, "").replace(/^\(\s*/, "").repl... L421: for (let i = 0;i < 4; i++) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/index-jhdv0jdf.jsView on unpkg · L419
dist/cli/index-ga4ta3cr.jsView file
87build: { L88: detectFiles: ["package.json"], L89: commands: [ ... L792: detect: "CMakeLists.txt", L793: cmd: "cppcheck --error-exitcode=1 .", L794: priority: 10 ... L1151: "Check for XSS \u2014 all output must be escaped with htmlspecialchars()", L1152: "Confirm no eval(), exec(), or shell_exec() with user-controlled input", L1153: "Validate proper error handling \u2014 no bare catch blocks that swallow errors", ... L1377: bigint: () => bigint2, L1378: base64url: () => base64url2, L1379: base64: () => base642,
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli/index-ga4ta3cr.jsView on unpkg · L87
dist/lang/grammars/tree-sitter-go.wasmView file
path = dist/lang/grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/lang/grammars/tree-sitter-go.wasmView on unpkg
.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView file
path = .opencode/skills/codebase-review-swarm/scripts/init-review-run.py kind = payload_in_excluded_dir sizeBytes = 4410 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView on unpkg
path = .opencode/skills/codebase-review-swarm/scripts/init-review-run.py kind = build_helper sizeBytes = 4410 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView on unpkg
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 4794563 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg

Findings

2 Critical6 High6 Medium7 Low
CriticalCritical Secretdist/cli/index-zezjy05g.js
CriticalSecret Patterndist/cli/index-zezjy05g.js
HighChild Processdist/cli/index-dqh3zhhc.js
HighShelldist/cli/index-zezjy05g.js
HighObfuscated Payload Loaderdist/cli/index-ga4ta3cr.js
HighCross File Remote Execution Contextdist/cli/index-zezjy05g.js
HighPayload In Excluded Dir.opencode/skills/codebase-review-swarm/scripts/init-review-run.py
HighOversized Source Filedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/lang/grammars/tree-sitter-go.wasm
MediumShips Build Helper.opencode/skills/codebase-review-swarm/scripts/init-review-run.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/index-jhdv0jdf.js
LowWeak Cryptodist/cli/index-zezjy05g.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings