registry  /  @galda/cli  /  0.10.9

@galda/cli@0.10.9

Galda - hand off work to your Claude Code, get proof back. Runs on your existing subscription, no extra API cost.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `galda` or `npx @galda/cli`.
Impact
A compromised or abusive relay/operator could direct authenticated local task actions and receive relayed responses; licensed task history is sent to the package billing service.
Mechanism
Hosted WebSocket relay proxies requests to a key-protected local agent runner.
Rationale
Source confirms a high-impact, hosted remote agent-control design and licensed task-history upload, but not malicious installation behavior or a concrete covert attack chain. Warn for dangerous capability rather than block.
Evidence
package.jsonbin/manager-for-ai.mjsengine/relay-client.mjsengine/server.mjsengine/analytics-client.mjsengine/mcp.mjsengine/lib.mjs
Network endpoints3
galda.appwss://app.galda.app/agentapp.galda.app

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/manager-for-ai.mjs` defaults to a hosted WebSocket relay and starts it after the user runs the CLI.
  • `engine/relay-client.mjs` accepts relay-supplied URLs and forwards them to the local server while injecting its access key.
  • `engine/server.mjs` launches Claude/Codex workers from task requests, enabling code-capable agent actions in selected projects.
  • `engine/server.mjs` posts licensed task text and results to the billing API history endpoint.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Execution begins through the explicit `galda` bin command, not package import.
  • The local server binds to `127.0.0.1` and checks an access key before protected routes.
  • The reported Unicode control is only an optional BOM match in YAML front-matter parsing, not hidden control-flow text.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 11 file(s), 371 KB of source, external domains: app.galda.app, claude.ai, claude.com, galda.app, github.com

Source & flagged code

6 flagged · loading source
bin/manager-for-ai.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @galda/cli@0.10.1 matchedIdentity = npm:QGdhbGRhL2NsaQ:0.10.1 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/manager-for-ai.mjsView on unpkg
8L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/manager-for-ai.mjsView on unpkg · L8
8L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs'; ... L12: import { fileURLToPath, pathToFileURL } from 'node:url'; L13: import { createServer } from 'node:net'; L14: ... L35: // resolution kicks in. On macOS/Linux keep shell off (no injection surface). L36: const WIN = process.platform === 'win32'; L37: const probe = (cmd, args) => spawnSync(cmd, args, { encoding: 'utf8', shell: WIN }); ... L46: } L47: say(`claude CLI: ${claude.stdout.trim()}`); L48:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/manager-for-ai.mjsView on unpkg · L8
8Cross-file remote execution chain: bin/manager-for-ai.mjs spawns engine/server.mjs; helper contains network access plus dynamic code execution. L8: L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs'; ... L12: import { fileURLToPath, pathToFileURL } from 'node:url'; L13: import { createServer } from 'node:net'; L14: ... L35: // resolution kicks in. On macOS/Linux keep shell off (no injection surface). L36: const WIN = process.platform === 'win32'; L37: const probe = (cmd, args) => spawnSync(cmd, args, { encoding: 'utf8', shell: WIN }); ... L46: } L47: say(`claude CLI: ${claude.stdout.trim()}`); L48:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/manager-for-ai.mjsView on unpkg · L8
101process.env.MANAGER_PORT = String(port); L102: await import(pathToFileURL(join(ROOT, 'engine', 'server.mjs')).href); L103:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/manager-for-ai.mjsView on unpkg · L101
engine/lib.mjsView file
1549contains invisible/control Unicode U+FEFF (zero width no-break space) const m = text.match(/^<U+FEFF>?---[ \t]*\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

engine/lib.mjsView on unpkg · L1549

Findings

2 Critical4 High4 Medium6 Low
CriticalTrojan Source Unicodeengine/lib.mjs
CriticalPrevious Version Dangerous Deltabin/manager-for-ai.mjs
HighChild Processbin/manager-for-ai.mjs
HighShell
HighSandbox Evasion Gated Capabilitybin/manager-for-ai.mjs
HighCross File Remote Execution Contextbin/manager-for-ai.mjs
MediumDynamic Requirebin/manager-for-ai.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License