registry  /  opencode-swarm  /  7.99.5

opencode-swarm@7.99.5

Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 43 file(s), 3.03 MB of source, external domains: 127.0.0.1, api.search.brave.com, api.tavily.com, github.com, json-schema.org, registry.npmjs.org
Oversized source lightweight scan
dist/index.js5.51 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsHighEntropyStringsUrlStringsapi.search.brave.comapi.tavily.comgithub.comregistry.npmjs.org

Source & flagged code

12 flagged · loading source
dist/cli/index-gjyrjr08.jsView file
25451patternName = private_key_rsa severity = critical line = 25451 matchedText = redactTe...---"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli/index-gjyrjr08.jsView on unpkg · L25451
25451patternName = private_key_rsa severity = critical line = 25451 matchedText = redactTe...---"
Critical
Secret Pattern

RSA private key in dist/cli/index-gjyrjr08.js

dist/cli/index-gjyrjr08.jsView on unpkg · L25451
430const escapedProfilePath = shellEscape2(profilePath); L431: return `sandbox-exec -f '${escapedProfilePath}' bash -c '${escapedCommand}'`; L432: }
High
Shell

Package source references shell execution.

dist/cli/index-gjyrjr08.jsView on unpkg · L430
178Cross-file remote execution chain: dist/cli/index-gjyrjr08.js spawns dist/cli/index-adz3nk9b.js; helper contains network access plus dynamic code execution. L178: // src/sandbox/linux/bubblewrap-executor.ts L179: import { spawnSync } from "child_process"; L180: function probeBwrap() { ... L196: } L197: return result.status === BWRAP_VERSION_EXIT && result.stdout.trim().length > 0; L198: } catch (err) { ... L376: constructor(scopePaths = [], tempDir) { L377: if (process.platform !== "darwin") { L378: throw new Error("MacOSSandboxExecutor not yet implemented"); ... L469: } L470: const encodedBase64Pattern = /-Enc(odedCommand)?\s+[A-Za-z0-9+/=]+/i; L471: if (encodedBase64Pattern.test(command)) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index-gjyrjr08.jsView on unpkg · L178
178// src/sandbox/linux/bubblewrap-executor.ts L179: import { spawnSync } from "child_process"; L180: function probeBwrap() { ... L196: } L197: return result.status === BWRAP_VERSION_EXIT && result.stdout.trim().length > 0; L198: } catch (err) { ... L376: constructor(scopePaths = [], tempDir) { L377: if (process.platform !== "darwin") { L378: throw new Error("MacOSSandboxExecutor not yet implemented"); ... L469: } L470: const encodedBase64Pattern = /-Enc(odedCommand)?\s+[A-Za-z0-9+/=]+/i; L471: if (encodedBase64Pattern.test(command)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index-gjyrjr08.jsView on unpkg · L178
dist/cli/index-adz3nk9b.jsView file
1043"Check for XSS \u2014 all output must be escaped with htmlspecialchars()", L1044: "Confirm no eval(), exec(), or shell_exec() with user-controlled input", L1045: "Validate proper error handling \u2014 no bare catch blocks that swallow errors",
High
Child Process

Package source references child process execution.

dist/cli/index-adz3nk9b.jsView on unpkg · L1043
87build: { L88: detectFiles: ["package.json"], L89: commands: [ ... L684: detect: "CMakeLists.txt", L685: cmd: "cppcheck --error-exitcode=1 .", L686: priority: 10 ... L1043: "Check for XSS \u2014 all output must be escaped with htmlspecialchars()", L1044: "Confirm no eval(), exec(), or shell_exec() with user-controlled input", L1045: "Validate proper error handling \u2014 no bare catch blocks that swallow errors", ... L1269: bigint: () => bigint2, L1270: base64url: () => base64url2, L1271: base64: () => base642,
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli/index-adz3nk9b.jsView on unpkg · L87
1043"Check for XSS \u2014 all output must be escaped with htmlspecialchars()", L1044: "Confirm no eval(), exec(), or shell_exec() with user-controlled input", L1045: "Validate proper error handling \u2014 no bare catch blocks that swallow errors",
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/index-adz3nk9b.jsView on unpkg · L1043
dist/lang/grammars/tree-sitter-go.wasmView file
path = dist/lang/grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/lang/grammars/tree-sitter-go.wasmView on unpkg
.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView file
path = .opencode/skills/codebase-review-swarm/scripts/init-review-run.py kind = payload_in_excluded_dir sizeBytes = 4410 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView on unpkg
path = .opencode/skills/codebase-review-swarm/scripts/init-review-run.py kind = build_helper sizeBytes = 4410 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.opencode/skills/codebase-review-swarm/scripts/init-review-run.pyView on unpkg
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 5777131 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg

Findings

2 Critical6 High5 Medium7 Low
CriticalCritical Secretdist/cli/index-gjyrjr08.js
CriticalSecret Patterndist/cli/index-gjyrjr08.js
HighChild Processdist/cli/index-adz3nk9b.js
HighShelldist/cli/index-gjyrjr08.js
HighObfuscated Payload Loaderdist/cli/index-adz3nk9b.js
HighCross File Remote Execution Contextdist/cli/index-gjyrjr08.js
HighPayload In Excluded Dir.opencode/skills/codebase-review-swarm/scripts/init-review-run.py
HighOversized Source Filedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/lang/grammars/tree-sitter-go.wasm
MediumShips Build Helper.opencode/skills/codebase-review-swarm/scripts/init-review-run.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/index-adz3nk9b.js
LowWeak Cryptodist/cli/index-gjyrjr08.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings