registry  /  @galda/cli  /  0.10.1

@galda/cli@0.10.1

Galda - hand off work to your Claude Code, get proof back. Runs on your existing subscription, no extra API cost.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `galda` / `npx @galda/cli`.
Impact
A compromised or abusive relay could submit work that launches Claude/Codex agents against configured local projects.
Mechanism
Authenticated WebSocket relay proxies remote requests into the local AI-agent server.
Rationale
The package presents a high-impact remote AI-agent control channel, but source inspection found no install-time execution, credential harvesting, hidden payload, or concrete malicious chain. Treat it as a warned dangerous capability rather than malware.
Evidence
package.jsonbin/manager-for-ai.mjsengine/relay-client.mjsengine/server.mjsengine/mcp.mjsengine/lib.mjs~/.manager-for-ai/secret.key~/.manager-for-ai/license.token
Network endpoints2
agent-manager-billing-api.a2c-tech.workers.devwss://app.galda.app/agent

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/manager-for-ai.mjs` defaults to a public billing API and `wss://app.galda.app/agent` when the CLI runs.
  • `engine/relay-client.mjs` reads the local access key and forwards relay-supplied requests to the local manager with that key injected.
  • `engine/server.mjs` runs `claude` or `codex` workers for submitted goals, which can act in a selected project.
  • The relay reconnects persistently while the user-run CLI process remains active.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Execution starts only through the explicit `galda` CLI entrypoint or direct server invocation.
  • Source reads only package-owned `~/.manager-for-ai/secret.key` and `license.token`; no broad credential harvesting was found.
  • No bidi/invisible Unicode control bytes were found in `engine/lib.mjs`; the scanner Trojan Source finding is unsupported.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 348 KB of source, external domains: agent-manager-billing-api.a2c-tech.workers.dev, claude.ai, claude.com, github.com

Source & flagged code

5 flagged · loading source
bin/manager-for-ai.mjsView file
8L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/manager-for-ai.mjsView on unpkg · L8
8L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs'; ... L18: // resolution kicks in. On macOS/Linux keep shell off (no injection surface). L19: const WIN = process.platform === 'win32'; L20: const probe = (cmd, args) => spawnSync(cmd, args, { encoding: 'utf8', shell: WIN }); ... L26: say('Galda runs on your Claude Code subscription (no extra API cost).'); L27: say('Install it first: https://claude.com/claude-code — then log in with `claude`.'); L28: process.exit(1); L29: } L30: say(`claude CLI: ${claude.stdout.trim()}`); L31:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/manager-for-ai.mjsView on unpkg · L8
8Cross-file remote execution chain: bin/manager-for-ai.mjs spawns engine/server.mjs; helper contains network access plus dynamic code execution. L8: L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs'; ... L18: // resolution kicks in. On macOS/Linux keep shell off (no injection surface). L19: const WIN = process.platform === 'win32'; L20: const probe = (cmd, args) => spawnSync(cmd, args, { encoding: 'utf8', shell: WIN }); ... L26: say('Galda runs on your Claude Code subscription (no extra API cost).'); L27: say('Install it first: https://claude.com/claude-code — then log in with `claude`.'); L28: process.exit(1); L29: } L30: say(`claude CLI: ${claude.stdout.trim()}`); L31:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/manager-for-ai.mjsView on unpkg · L8
61process.env.RELAY_URL = process.env.RELAY_URL ?? 'wss://app.galda.app/agent'; L62: await import(pathToFileURL(join(ROOT, 'engine', 'server.mjs')).href); L63:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/manager-for-ai.mjsView on unpkg · L61
engine/lib.mjsView file
1535contains invisible/control Unicode U+FEFF (zero width no-break space) const m = text.match(/^<U+FEFF>?---[ \t]*\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

engine/lib.mjsView on unpkg · L1535

Findings

1 Critical4 High4 Medium6 Low
CriticalTrojan Source Unicodeengine/lib.mjs
HighChild Processbin/manager-for-ai.mjs
HighShell
HighSandbox Evasion Gated Capabilitybin/manager-for-ai.mjs
HighCross File Remote Execution Contextbin/manager-for-ai.mjs
MediumDynamic Requirebin/manager-for-ai.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License