registry  /  @darkrei08/wizard-ai-cli  /  0.46.0

@darkrei08/wizard-ai-cli@0.46.0

Installer for the Wizard-AI environment: AI CLI tools and Claude Code skills (graphify, llmlingua, flashrank, markitdown and more). Clones the repo and runs the platform setup script.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Explicit `wizard-ai` execution downloads a mutable remote repository and runs its platform installer, using `sudo` on Unix. Explicit `ai-proxy enable` creates a persistent local proxy daemon; `provision` delegates local token extraction to another installed skill.

Static reason
No blocking static signals were detected.
Trigger
User runs `wizard-ai`/`pi-agent-setup`, or explicitly runs `ai-proxy provision` or `ai-proxy enable`.
Impact
A changed remote setup script could execute with user-approved elevated privileges; proxy setup can persist and access locally provisioned account tokens.
Mechanism
Remote setup execution with privileged install and opt-in AI proxy persistence.
Rationale
No concrete malicious exfiltration or unconsented lifecycle mutation is present in the package. However, explicit execution fetches and runs mutable remote code with `sudo`, and the package provides persistent, token-adjacent AI proxy setup.
Evidence
package.jsoncli.jsscripts/ai-proxy.jsREADME.md~/.wizard-ai~/.pi-antigravity-rotator/litellm_config.yaml~/.config/systemd/user/ai-proxy.service~/Library/LaunchAgents/com.wizardai.proxy.plist%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/ai-proxy.vbs~/.agents/skills/cockpit-bridge/scripts/cockpit-reader.mjs
Network endpoints2
github.com/darkrei08/Wizard-AI.git127.0.0.1:51200/v1

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `cli.js` clones a mutable GitHub repo then executes its setup script.
  • `cli.js` invokes the downloaded Unix setup through `sudo`.
  • `scripts/ai-proxy.js` creates boot-persistent user services/startup entries.
  • `ai-proxy provision` invokes a local skill documented to extract refresh tokens.
Evidence against
  • `package.json` contains no npm lifecycle scripts.
  • Persistence and provisioning require explicit `ai-proxy` subcommands.
  • No package source exfiltrates credentials or contacts a non-local endpoint.
  • Daemon config uses loopback endpoints and dummy API keys.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 2 file(s), 15.7 KB of source, external domains: 127.0.0.1, git-scm.com, github.com, www.apple.com

Source & flagged code

2 flagged · loading source
scripts/ai-proxy.jsView file
2L3: const { execSync } = require('child_process'); L4: const path = require('path'); ... L30: L31: const LITELLM_CONFIG_FILE = path.join(os.homedir(), '.pi-antigravity-rotator', 'litellm_config.yaml'); L32: const LITELLM_LOG_FILE = path.join(os.homedir(), '.pi-antigravity-rotator', 'litellm.log'); ... L38: model: openai/gemini-3.1-pro L39: api_base: http://127.0.0.1:51200/v1 L40: api_key: dummy ... L197: L198: runCommand(`launchctl load -w "${path.join(plistDir, 'com.wizardai.proxy.plist')}"`, true); L199: runCommand(`launchctl load -w "${path.join(plistDir, 'com.wizardai.proxy.litellm.plist')}"`, true);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/ai-proxy.jsView on unpkg · L2
scripts/install-mattpocock-skills.shView file
path = scripts/install-mattpocock-skills.sh kind = build_helper sizeBytes = 2656 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install-mattpocock-skills.shView on unpkg

Findings

4 Medium4 Low
MediumEnvironment Vars
MediumInstall Persistencescripts/ai-proxy.js
MediumShips Build Helperscripts/install-mattpocock-skills.sh
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License