扫描报告
15 /100
occ
Control OpenCode to execute development tasks via CLI
This is a legitimate OpenCode CLI controller that manages development sessions with standard tooling patterns. No malicious behavior detected.
可以安装
This skill is safe to use. Consider pinning axios to a specific version in package.json for improved supply chain hygiene.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Shell execution not declared in SKILL.md 文档欺骗 | scripts/bin/opencode-server.js:29 |
| 低危 | Dependency version not pinned 供应链 | scripts/package.json:13 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | WRITE | ✓ 一致 | npm install writes node_modules |
| 网络访问 | NONE | READ | ✓ 一致 | HTTP requests to localhost:4096-4200 |
| 命令执行 | NONE | WRITE | ✓ 一致 | spawn('opencode') and exec('npm install') |
| 环境变量 | NONE | READ | ✓ 一致 | Standard PATH lookup for 'opencode' binary |
目录结构
8 文件 · 14.8 KB · 574 行 JavaScript 6f · 497L
Markdown 1f · 58L
JSON 1f · 19L
├─
▾
scripts
│ ├─
▾
bin
│ │ └─
opencode-server.js
JavaScript
│ ├─
▾
src
│ │ ├─
▾
services
│ │ │ ├─
message.js
JavaScript
│ │ │ └─
session.js
JavaScript
│ │ ├─
▾
utils
│ │ │ ├─
http.js
JavaScript
│ │ │ └─
server.js
JavaScript
│ │ └─
index.js
JavaScript
│ └─
package.json
JSON
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
axios | ^1.6.0 | npm | 否 | Version range allows updates |
安全亮点
✓ All network communication is localhost-only (127.0.0.1)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No credential harvesting or exfiltration behavior
✓ No obfuscation or base64-encoded payloads
✓ No external IP connections or C2 indicators
✓ Port scanning is documented in SKILL.md
✓ Session management is scoped to local development workflow