registry  /  @gbits-jszx/dg-cli  /  0.8.49

@gbits-jszx/dg-cli@0.8.49

DataGateway CLI — 部署/运维/配置一站式(Go binary,npx 分发)

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI wrapper runs only when the user invokes dg-cli, checks its package version at npm, and forwards arguments to its platform binary.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs dg-cli or npx dg-cli.
Impact
Executes the resolved bundled platform binary with inherited user arguments and environment; inspected wrapper does not transmit that environment.
Mechanism
Platform-binary launcher with asynchronous npm version check.
Rationale
Static hints reflect normal CLI bootstrap behavior: a version-check request, environment forwarding, and direct execution of a platform-specific binary. Source inspection found no install-time execution, harvesting, exfiltration, remote payload loading, persistence, or AI-agent control-surface mutation.
Evidence
package.jsonbin/dg-cli.jsREADME.mdnode_modules/@gbits-jszx/dg-cli-<platform>-<arch>/bin/dg-cli[.exe]
Network endpoints1
registry.npmjs.org/-/package/@gbits-jszx/dg-cli/dist-tags

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts.
    • bin/dg-cli.js only asynchronously checks its own npm dist-tags.
    • Child process execution resolves a platform-specific optional dependency binary.
    • Environment is passed unchanged to that user-invoked binary; no collection or exfiltration is present.
    • chmodSync only repairs execute permission on the resolved package binary after EACCES.
    • No dynamic code loading, shell execution, persistence, or destructive file operations found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 4.92 KB of source, external domains: registry.npmjs.org

    Source & flagged code

    4 flagged · loading source
    bin/dg-cli.jsView file
    5"use strict"; L6: const { execFileSync } = require("child_process"); L7: ... L18: function checkLatestAsync() { L19: if (process.env.DG_NPX_NO_VERSION_CHECK) return; // 离线/CI 用环境变量短路 L20: try { L21: const https = require("https"); L22: const localVer = require("../package.json").version;
    Critical
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution with blocking evidence.

    bin/dg-cli.jsView on unpkg · L5
    Trigger-reachable chain: manifest.bin -> bin/dg-cli.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    bin/dg-cli.jsView on unpkg
    5"use strict"; L6: const { execFileSync } = require("child_process"); L7:
    High
    Child Process

    Package source references child process execution.

    bin/dg-cli.jsView on unpkg · L5
    1#!/usr/bin/env node L2: // dg-cli npm bootstrap: 按 process.platform/arch 解析对应平台子包二进制并透传调用。 L3: // 设计原则:stdio inherit + 默认 cwd + 默认 env,确保子进程感知到的运行环境与直接跑二进制完全一致。 ... L5: "use strict"; L6: const { execFileSync } = require("child_process"); L7: ... L18: function checkLatestAsync() { L19: if (process.env.DG_NPX_NO_VERSION_CHECK) return; // 离线/CI 用环境变量短路 L20: try { L21: const https = require("https"); L22: const localVer = require("../package.json").version; L23: const url = "https://registry.npmjs.org/-/package/@gbits-jszx/dg-cli/dist-tags";
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    bin/dg-cli.jsView on unpkg · L1

    Findings

    2 Critical2 High3 Medium2 Low
    CriticalSame File Env Network Executionbin/dg-cli.js
    CriticalTrigger Reachable Dangerous Capabilitybin/dg-cli.js
    HighChild Processbin/dg-cli.js
    HighSandbox Evasion Gated Capabilitybin/dg-cli.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowFilesystem
    LowUrl Strings