npm - opencode-api-security-testing - Versions diffs - 5.2.0 → 5.2.2 - Mend

opencode-api-security-testing 5.2.0 → 5.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/SKILL.md +0 -6
package/agents/api-cyber-supervisor.md +3 -5
package/package.json +1 -1
package/src/index.ts +22 -3

package/SKILL.md CHANGED Viewed

@@ -69,12 +69,6 @@ tools:
   - name: report_generator
     description: "Compile evidence-based security report."
     usage: "During 报告 to generate deliverables."
-  - name: endpoint_discover
-    description: "Auto-discover API endpoints from JS, HTML, sitemap, robots.txt, and common paths."
-    usage: "During 侦察 to automatically map the attack surface without manual input."
-  - name: env_checker
-    description: "Auto-detect and install missing dependencies (Python, pip, Playwright, etc.)."
-    usage: "Runs automatically during postinstall; can be triggered manually to fix environment issues."
 notes:
   - "All tools must be used within their defined phases; avoid cross-phase misuse."
   - "Preserve evidence with timestamps; ensure traceability for audits."

package/agents/api-cyber-supervisor.md CHANGED Viewed

@@ -31,7 +31,6 @@ color: "#FF5733"
 | 工具 | 用途 | 场景 |
 |------|------|------|
-| endpoint_discover | 端点自动发现 | 从 JS/HTML/Sitemap 提取 |
 | api_security_scan | 完整扫描 | 全面测试 |
 | api_fuzz_test | 模糊测试 | 发现未知端点 |
 | browser_collect | 浏览器采集 | SPA 应用 |
@@ -41,14 +40,13 @@ color: "#FF5733"
 | cloud_storage_test | 云存储测试 | OSS/S3 |
 | idor_test | IDOR 测试 | 越权漏洞 |
 | sqli_test | SQLi 测试 | 注入漏洞 |
-| report_generate | 报告生成 | Markdown/HTML/JSON 格式 |
 ## 测试流程
 ### Phase 1: 侦察
-1. endpoint_discover 自动发现所有 API 端点
-2. browser_collect 采集动态端点
-3. js_parse 分析 JS 文件
+1. browser_collect 采集动态端点
+2. js_parse 分析 JS 文件
+3. url_discover 发现隐藏端点
 ### Phase 2: 分析
 1. 识别技术栈

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "5.2.0",
+  "version": "5.2.2",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",

package/src/index.ts CHANGED Viewed

@@ -2,6 +2,10 @@ import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
 import { join } from "path";
 import { existsSync, readFileSync } from "fs";
+import { exec } from "child_process";
+import { promisify } from "util";
+const execAsync = promisify(exec);
 const SKILL_DIR = "skills/api-security-testing";
 const CORE_DIR = `${SKILL_DIR}/core`;
@@ -183,9 +187,24 @@ To activate these agents, simply mention their name in your response (e.g., "@ap
 }
 async function execShell(ctx: unknown, cmd: string): Promise<string> {
-  const shell = ctx as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
-  const result = await shell.$`${cmd}`;
-  return result.toString();
+  try {
+    const { stdout, stderr } = await execAsync(cmd, {
+      maxBuffer: 1024 * 1024 * 10, // 10MB buffer
+      timeout: 120000, // 2 minutes timeout
+      shell: process.platform === "win32" ? "powershell.exe" : undefined
+    });
+    if (stderr && !stdout) {
+      return `Error: ${stderr}`;
+    }
+    return stdout || stderr;
+  } catch (error: unknown) {
+    const err = error as { message?: string; stdout?: string; stderr?: string };
+    // 如果有 stdout 输出，即使命令失败也返回输出
+    if (err.stdout) {
+      return err.stdout;
+    }
+    return `Error: ${err.message || "Unknown error"}`;
+  }
 }
 function getFailureCount(sessionID: string): number {