AI Security Review
scanned 2h ago · by lpm-firewall-aiExplicit `wizard-ai` execution downloads a mutable remote repository and runs its platform installer, using `sudo` on Unix. Explicit `ai-proxy enable` creates a persistent local proxy daemon; `provision` delegates local token extraction to another installed skill.
Static reason
No blocking static signals were detected.
Trigger
User runs `wizard-ai`/`pi-agent-setup`, or explicitly runs `ai-proxy provision` or `ai-proxy enable`.
Impact
A changed remote setup script could execute with user-approved elevated privileges; proxy setup can persist and access locally provisioned account tokens.
Mechanism
Remote setup execution with privileged install and opt-in AI proxy persistence.
Rationale
No concrete malicious exfiltration or unconsented lifecycle mutation is present in the package. However, explicit execution fetches and runs mutable remote code with `sudo`, and the package provides persistent, token-adjacent AI proxy setup.
Evidence
package.jsoncli.jsscripts/ai-proxy.jsREADME.md~/.wizard-ai~/.pi-antigravity-rotator/litellm_config.yaml~/.config/systemd/user/ai-proxy.service~/Library/LaunchAgents/com.wizardai.proxy.plist%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/ai-proxy.vbs~/.agents/skills/cockpit-bridge/scripts/cockpit-reader.mjs
Network endpoints2
github.com/darkrei08/Wizard-AI.git127.0.0.1:51200/v1
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `cli.js` clones a mutable GitHub repo then executes its setup script.
- `cli.js` invokes the downloaded Unix setup through `sudo`.
- `scripts/ai-proxy.js` creates boot-persistent user services/startup entries.
- `ai-proxy provision` invokes a local skill documented to extract refresh tokens.
Evidence against
- `package.json` contains no npm lifecycle scripts.
- Persistence and provisioning require explicit `ai-proxy` subcommands.
- No package source exfiltrates credentials or contacts a non-local endpoint.
- Daemon config uses loopback endpoints and dummy API keys.
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcescripts/ai-proxy.jsView file
2L3: const { execSync } = require('child_process');
L4: const path = require('path');
...
L30:
L31: const LITELLM_CONFIG_FILE = path.join(os.homedir(), '.pi-antigravity-rotator', 'litellm_config.yaml');
L32: const LITELLM_LOG_FILE = path.join(os.homedir(), '.pi-antigravity-rotator', 'litellm.log');
...
L38: model: openai/gemini-3.1-pro
L39: api_base: http://127.0.0.1:51200/v1
L40: api_key: dummy
...
L197:
L198: runCommand(`launchctl load -w "${path.join(plistDir, 'com.wizardai.proxy.plist')}"`, true);
L199: runCommand(`launchctl load -w "${path.join(plistDir, 'com.wizardai.proxy.litellm.plist')}"`, true);
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
scripts/ai-proxy.jsView on unpkg · L2scripts/install-mattpocock-skills.shView file
•path = scripts/install-mattpocock-skills.sh
kind = build_helper
sizeBytes = 2656
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/install-mattpocock-skills.shView on unpkgFindings
4 Medium4 Low
MediumEnvironment Vars
MediumInstall Persistencescripts/ai-proxy.js
MediumShips Build Helperscripts/install-mattpocock-skills.sh
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License