registry  /  @gbits-jszx/dg-cli  /  0.8.39

@gbits-jszx/dg-cli@0.8.39

DataGateway CLI — 部署/运维/配置一站式(Go binary,npx 分发)

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface in the wrapper package. The CLI entrypoint launches a declared platform binary and performs a benign version check, but there is no lifecycle hook or hidden mutation in this package source.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the dg-cli bin entrypoint
Impact
Executes the package-aligned platform binary with inherited stdio/env; no source evidence of exfiltration or persistence in this wrapper
Mechanism
platform binary bootstrap with npm dist-tags version check
Rationale
Static inspection shows a normal npm bootstrap wrapper for declared optional platform packages plus a package-aligned registry version check. The risky primitives are user-invoked and aligned with the CLI distribution model, with no install-time execution, credential theft, persistence, or agent hijack behavior in the inspected package.
Evidence
package.jsonbin/dg-cli.js@gbits-jszx/dg-cli-${platform}-${arch}/bin/dg-cli(.exe)
Network endpoints1
registry.npmjs.org/-/package/@gbits-jszx/dg-cli/dist-tags

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/dg-cli.js performs a runtime npm registry version check at registry.npmjs.org
  • bin/dg-cli.js executes a platform-specific optional dependency binary via execFileSync
  • bin/dg-cli.js forwards process.env and CLI args to the resolved binary
  • bin/dg-cli.js may chmod the resolved package binary after EACCES
Evidence against
  • package.json has no lifecycle scripts, so no install-time execution was found
  • package.json only exposes bin/dg-cli.js and ships bin/ plus README.md
  • bin/dg-cli.js resolves only @gbits-jszx/dg-cli-${platform}-${arch}/bin/dg-cli(.exe) from declared optionalDependencies
  • Network use is limited to a package-aligned version check with DG_NPX_NO_VERSION_CHECK opt-out
  • No credential harvesting, exfiltration endpoint, persistence, destructive action, or AI-agent control-surface writes found in inspected files
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.92 KB of source, external domains: registry.npmjs.org

Source & flagged code

4 flagged · loading source
bin/dg-cli.jsView file
5"use strict"; L6: const { execFileSync } = require("child_process"); L7: ... L18: function checkLatestAsync() { L19: if (process.env.DG_NPX_NO_VERSION_CHECK) return; // 离线/CI 用环境变量短路 L20: try { L21: const https = require("https"); L22: const localVer = require("../package.json").version;
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

bin/dg-cli.jsView on unpkg · L5
Trigger-reachable chain: manifest.bin -> bin/dg-cli.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/dg-cli.jsView on unpkg
5"use strict"; L6: const { execFileSync } = require("child_process"); L7:
High
Child Process

Package source references child process execution.

bin/dg-cli.jsView on unpkg · L5
1#!/usr/bin/env node L2: // dg-cli npm bootstrap: 按 process.platform/arch 解析对应平台子包二进制并透传调用。 L3: // 设计原则:stdio inherit + 默认 cwd + 默认 env,确保子进程感知到的运行环境与直接跑二进制完全一致。 ... L5: "use strict"; L6: const { execFileSync } = require("child_process"); L7: ... L18: function checkLatestAsync() { L19: if (process.env.DG_NPX_NO_VERSION_CHECK) return; // 离线/CI 用环境变量短路 L20: try { L21: const https = require("https"); L22: const localVer = require("../package.json").version; L23: const url = "https://registry.npmjs.org/-/package/@gbits-jszx/dg-cli/dist-tags";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/dg-cli.jsView on unpkg · L1

Findings

2 Critical2 High3 Medium2 Low
CriticalSame File Env Network Executionbin/dg-cli.js
CriticalTrigger Reachable Dangerous Capabilitybin/dg-cli.js
HighChild Processbin/dg-cli.js
HighSandbox Evasion Gated Capabilitybin/dg-cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowUrl Strings