registry  /  @galda/cli  /  0.10.20

@galda/cli@0.10.20

Galda - hand off work to Claude Code or Codex, get proof back. Runs on your existing subscription, no extra API cost.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `galda`/`npx @galda/cli` and signs in to the hosted relay.
Impact
A compromise or misuse of the hosted authenticated control plane could cause agent-driven workspace changes on the enrolled machine.
Mechanism
Hosted relay bridges requests into a local AI-agent workspace executor.
Rationale
Source does not support a malicious block verdict, but it confirms a real hosted relay-to-local AI-agent execution capability. Treat as a warning-level dangerous dual-use capability rather than malware.
Evidence
package.jsonbin/manager-for-ai.mjsengine/relay-client.mjsengine/server.mjsengine/lib.mjs~/.manager-for-ai/secret.key~/.manager-for-ai/license.token
Network endpoints3
galda.appapp.galda.appwss://app.galda.app/agent

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/manager-for-ai.mjs` defaults to `wss://app.galda.app/agent` and launches `engine/relay-client.mjs`.
  • `engine/relay-client.mjs` forwards relay-supplied requests to the authenticated local server, injecting its local access key.
  • `engine/server.mjs` starts Claude/Codex workers that can write the selected workspace and run restricted Node/npm/npx commands.
  • `engine/server.mjs` persists a local secret key and relay/license state under `~/.manager-for-ai`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • The execution path is activated only by explicit `galda` CLI invocation.
  • `bin/manager-for-ai.mjs` detects Codex by PATH lookup rather than executing it.
  • No hidden Unicode bidi/invisible controls were found in `engine/lib.mjs`.
  • No source evidence shows credential harvesting, arbitrary outbound exfiltration, or foreign AI-agent config mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 11 file(s), 450 KB of source, external domains: app.galda.app, claude.ai, claude.com, galda.app, github.com

Source & flagged code

6 flagged · loading source
bin/manager-for-ai.mjsView file
8L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/manager-for-ai.mjsView on unpkg · L8
8L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs'; ... L12: import { fileURLToPath, pathToFileURL } from 'node:url'; L13: import { createServer } from 'node:net'; L14: import { isCommandOnPath, resolveConnectedAgents } from '../engine/lib.mjs'; ... L36: // resolution kicks in. On macOS/Linux keep shell off (no injection surface). L37: const WIN = process.platform === 'win32'; L38: const probe = (cmd, args) => spawnSync(cmd, args, { encoding: 'utf8', shell: WIN }); ... L47: const hasClaude = !claude.error && claude.status === 0; L48: const hasCodex = isCommandOnPath('codex', { pathEnv: process.env.PATH || '', sep: WIN ? ';' : ':', pathExt: WIN ? (process.env.PATHEXT || '') : '' }); L49: if (!hasClaude && !hasCodex) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/manager-for-ai.mjsView on unpkg · L8
8Cross-file remote execution chain: bin/manager-for-ai.mjs spawns engine/server.mjs; helper contains network access plus dynamic code execution. L8: L9: import { spawnSync } from 'node:child_process'; L10: import { existsSync } from 'node:fs'; ... L12: import { fileURLToPath, pathToFileURL } from 'node:url'; L13: import { createServer } from 'node:net'; L14: import { isCommandOnPath, resolveConnectedAgents } from '../engine/lib.mjs'; ... L36: // resolution kicks in. On macOS/Linux keep shell off (no injection surface). L37: const WIN = process.platform === 'win32'; L38: const probe = (cmd, args) => spawnSync(cmd, args, { encoding: 'utf8', shell: WIN }); ... L47: const hasClaude = !claude.error && claude.status === 0; L48: const hasCodex = isCommandOnPath('codex', { pathEnv: process.env.PATH || '', sep: WIN ? ';' : ':', pathExt: WIN ? (process.env.PATHEXT || '') : '' }); L49: if (!hasClaude && !hasCodex) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/manager-for-ai.mjsView on unpkg · L8
107process.env.MANAGER_PORT = String(port); L108: await import(pathToFileURL(join(ROOT, 'engine', 'server.mjs')).href); L109:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/manager-for-ai.mjsView on unpkg · L107
engine/lib.mjsView file
1879contains invisible/control Unicode U+FEFF (zero width no-break space) const m = text.match(/^<U+FEFF>?---[ \t]*\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

engine/lib.mjsView on unpkg · L1879
Trigger-reachable chain: manifest.bin -> bin/manager-for-ai.mjs -> engine/lib.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

engine/lib.mjsView on unpkg

Findings

2 Critical4 High4 Medium6 Low
CriticalTrojan Source Unicodeengine/lib.mjs
CriticalTrigger Reachable Dangerous Capabilityengine/lib.mjs
HighChild Processbin/manager-for-ai.mjs
HighShell
HighSandbox Evasion Gated Capabilitybin/manager-for-ai.mjs
HighCross File Remote Execution Contextbin/manager-for-ai.mjs
MediumDynamic Requirebin/manager-for-ai.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License