registry  /  @chimerai/cli  /  1.2.173

@chimerai/cli@1.2.173

CLI wizard for ChimerAI starter kit — scaffold auth, RBAC, AI chat, billing and more into any Next.js project

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time malicious behavior is established. An explicit AI-tools scaffold can generate a restricted Python code executor, creating a downstream dangerous capability if deployed with untrusted code input.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `chimerai add ai-tools` and deploys the generated service.
Impact
Potential downstream remote-code-execution exposure in the generated application; no confirmed compromise of the package consumer during installation.
Mechanism
Generated Python code compilation and execution via `exec`.
Rationale
Source inspection does not support a malicious publish block, but the optional generated code executor is a real dangerous capability with incomplete execution controls. Downgrade to warn rather than marking clean.
Evidence
package.jsondist/cli.jsdist/commands/add.jsdist/commands/create.jsdist/templates/ai-service-tools.jsdist/license.jsdist/utils/provider-db.js~/.chimerai/license.json
Network endpoints3
chimerai-activate-worker.chimerai.workers.dev/activateapi.openai.com/v1/modelsapi.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/templates/ai-service-tools.js` generates a Python `CodeInterpreterTool` that compiles and executes supplied code.
  • The generated executor's `timeout` parameter is not enforced around `exec(byte_code, env)`.
  • `dist/commands/add.js` can write the AI-tools template into a target project after an explicit add command.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `dist/cli.js` registers actions behind explicit `chimerai` subcommands; importing `dist/index.js` only exports modules.
  • `dist/commands/create.js` runs its generated installer only when the user supplies `--install`.
  • Network use is package-aligned: license activation uses the ChimerAI worker, while provider validation calls user-selected provider APIs.
  • No source evidence of credential harvesting, exfiltration, hidden persistence, remote payload loading, or AI-agent configuration mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 1.57 MB of source, external domains: api.airtable.com, api.anthropic.com, api.groq.com, api.openai.com, api.stripe.com, app.example.com, chimerai-activate-worker.chimerai.workers.dev, chimerai.dev, dashboard.stripe.com, demo.chimerai.dev, en.wikipedia.org, example.com, generativelanguage.googleapis.com, github.com, hooks.zapier.com, my-blog.com, my-shop.com, n8n.example.com, news.ycombinator.com, nextjs.org, openapi.vercel.sh, python.org, sentry.io, upload.wikimedia.org, upstash.com, webhook.site, www.googleapis.com, www.prisma.io, www.w3.org, your-app.com, your-cdn.com, your-resource.openai.azure.com, your-site.com, yourdomain.com

Source & flagged code

6 flagged · loading source
dist/commands/add.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @chimerai/cli@1.2.172 matchedIdentity = npm:QGNoaW1lcmFpL2NsaQ:1.2.172 similarity = 0.959 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/add.jsView on unpkg
2254// Add import and call at the end of the main() function L2255: const patchedSeed = seedContent.replace(/main\(\)\s*\n\s*\.catch/, `main()\n .then(async () => {\n // Auto-added by chimerai add model-providers\n const { execSync } = requi... L2256: if (patchedSeed !== seedContent) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/add.jsView on unpkg · L2254
1675patternName = generic_password severity = medium line = 1675 matchedText = const pa...23';
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/add.jsView on unpkg · L1675
dist/templates/ai-service-tools.jsView file
483start = time.perf_counter() L484: exec(byte_code, env) L485: elapsed_ms = int((time.perf_counter() - start) * 1000)
High
Child Process

Package source references child process execution.

dist/templates/ai-service-tools.jsView on unpkg · L483
dist/commands/dev.jsView file
15const fs_extra_1 = __importDefault(require("fs-extra")); L16: const execa_1 = require("execa"); L17: const scanner_js_1 = require("../scanner.js");
High
Shell

Package source references shell execution.

dist/commands/dev.jsView on unpkg · L15
dist/scanner.jsView file
11exports.scanProject = scanProject; L12: const path_1 = __importDefault(require("path")); L13: const fs_extra_1 = __importDefault(require("fs-extra"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scanner.jsView on unpkg · L11

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/add.js
HighChild Processdist/templates/ai-service-tools.js
HighShelldist/commands/dev.js
HighRuntime Package Installdist/commands/add.js
MediumSecret Patterndist/commands/add.js
MediumDynamic Requiredist/scanner.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings