registry  /  @gitbase/cms  /  0.1.2

@gitbase/cms@0.1.2

Gitbase CMS — Git-based headless CMS by Codebind.io

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The CMS can dynamically import JavaScript from UNPKG at browser runtime for optional dependencies. It also exposes explicit, authenticated GitHub Agent Task actions.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A CMS runtime feature invokes `loadModule()`; agent actions require an authenticated user calling task APIs.
Impact
A compromised or substituted CDN module could execute in the CMS browser origin; agent prompts are sent only through explicit CMS actions.
Mechanism
Remote CDN dynamic import plus user-invoked authenticated agent-task requests.
Rationale
No concrete malicious install, persistence, credential harvesting, or destructive chain was found. The unverified runtime CDN import is nevertheless a concrete dangerous capability warranting a warning rather than a block.
Evidence
package.jsondist/gitbase-cms.mjsdist/gitbase-cms.mjs.map
Network endpoints4
unpkg.com/admin/cms/agent/*/agents/repos/{owner}/{repo}/tasks/agents/tasks/{taskId}/steer

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/gitbase-cms.mjs.map` maps `src/lib/services/app/dependencies.js`, whose `loadModule()` dynamically imports modules from `https://unpkg.com/${library}@${version}`.
  • The browser bundle invokes the remote loader for optional runtime features, so third-party CDN JavaScript can execute after package load.
  • `dist/gitbase-cms.mjs.map` maps `src/lib/services/integrations/gitbase/github-agent.js`, which submits explicit user prompts to GitHub Agent Tasks or `/admin/cms/agent/*` using an authenticated session token.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or `bin` entrypoint.
  • No mapped source imports Node `child_process` or uses `execSync`, `spawnSync`, `eval`, or `new Function`; the child-process scanner hit is unsupported.
  • Bidi controls originate in bundled third-party editor/UI sources in the source map, not package-owned Gitbase source.
  • Agent calls are gated by signed-in state and explicit task functions; no package code writes AI-agent configuration files.
Behavioral surface
Source
ChildProcessDynamicRequireNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.83 MB of source, external domains: ai.google.dev, aistudio.google.com, api-docs.deepseek.com, api.anthropic.com, api.deepseek.com, api.mistral.ai, api.openai.com, api.pexels.com, api.unsplash.com, bsky.app, codeberg.org, codebind.io, console.cloud.google.com, console.mistral.ai, discord.com, docs.claude.com, docs.mistral.ai, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, github.com, lea.verou.me, lexical.dev, opensource.org, picsum.photos, pixabay.com, platform.claude.com, platform.deepseek.com, platform.openai.com, react.dev, stackoverflow.com, svelte.dev, sveltiacms.app, translation.googleapis.com, unpkg.com, webplatform.github.io, www.openstreetmap.org, www.pexels.com, www.w3.org, www.youtube-nocookie.com, www.youtube.com, youtu.be

Source & flagged code

5 flagged · loading source
dist/gitbase-cms.jsView file
1(function(e){Object.defineProperties(e,{__esModule:{value:!0},[Symbol.toStringTag]:{value:`Module`}});var t=Object.create,n=Object.defineProperty,r=Object.getOwnPropertyDescriptor,... L2: /** ... L16: */ L17: var n=Object.getOwnPropertySymbols,r=Object.prototype.hasOwnProperty,i=Object.prototype.propertyIsEnumerable;function a(e){if(e==null)throw TypeError(`Object.assign cannot be calle... L18: \r\f\xA0\v`]}));function us(e,t,n,r,i,a){var o=e[Fe];if(bt||o!==n||o===void 0){var s=is(n,r,a);(!bt||s!==e.getAttribute(`class`))&&(s==null?e.removeAttribute(`class`):t?e.classNam... ... L44: `),Ap=async e=>{let t=typeof e==`string`?new Blob([e],{type:`text/plain`}):e,n=new FileReader;return new Promise((e,r)=>{n.onload=()=>{e(n.result)},n.onerror=()=>{r(n.error)},n.rea... L45: \r  `),xm=(e,t)=>new nm(`missing-syntax`,e,e+t.length,t),Sm=(...e)=>new nm(...e)}));function Dee(e,t){let{node:n,pattern:r}=t,{functionRef:i=n,attributes:a=null,declaration:o=n,exp... L46: `)}},sg.defaultYaml={explicit:!1,version:`1.2`},sg.defaultTags={"!!":`tag:yaml.org,2002:`}}));function lg(e){if(/[\x00-\x19\s,[\]{}]/.test(e)){let t=`Anchor must not contain whites... ... L125: `:` L126: `)+(a.substring(1)||` `
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/gitbase-cms.jsView on unpkg · L1
126contains invisible/control Unicode U+FEFF (zero width no-break space) `)+(a.substring(1)||` `),n=!0,r=!1;break;case`%`:e[i+1]?.[0]!==`#`&&(i+=1),n=!1;break;default:n||(r=!0),n=!1}}return{comment:t,afterEmptyLine:r}}var Hv,Uv=s((()=>{cg(),xv(),Tv(),Xh(),Ene(),Nv(),Hv=class{constructor(e={}){this.doc=null,this.
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/gitbase-cms.jsView on unpkg · L126
694`)))]},match:TX.tag(`div`),name:`@lexical/code/vscode-wrapper`}),ZY({$import:(e,t,n)=>{if(!UX(t)||HX(t))return n();let r=t.previousElementSibling;if(r&&UX(r))return[];let i=[],a=t;... L695: `)))]},match:TX.tag(`div`,`br`),name:`@lexical/code/vscode-line-run`})]),TX.tag(`div`),TX.tag(`table`).classAll(`js-file-line-container`),TX.tag(`td`).classAll(`js-file-line`)})),j... L696: `||i===`\r
High
Child Process

Package source references child process execution.

dist/gitbase-cms.jsView on unpkg · L694
643`),_=`AWS4-HMAC-SHA256`,v=`${d}/${o}/${s}/aws4_request`,y=[_,u,v,await $A(g)].join(` L644: `),b=await QA(await QA(await QA(await QA(await QA(`AWS4${a}`,d),o),s),`aws4_request`),y),x=Array.from(b).map(e=>e.toString(16).padStart(2,`0`)).join(``);return[`${_} Credential=${i... L645: @media (width < 768px) {.floating-action-button-wrapper.svelte-1n8ggvr {display:block;position:fixed;inset-inline-end:16px;inset-block-end:72px;z-index:100;}.floating-action-button...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/gitbase-cms.jsView on unpkg · L643
dist/gitbase-cms.mjsView file
1Trigger-reachable chain: manifest.main -> dist/gitbase-cms.mjs L1: var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object.prototype.hasOwnProperty,o=(e,t)=>()=>(e... L2: /** ... L16: */ L17: var n=Object.getOwnPropertySymbols,r=Object.prototype.hasOwnProperty,i=Object.prototype.propertyIsEnumerable;function a(e){if(e==null)throw TypeError(`Object.assign cannot be calle... L18: \r\f\xA0\v`]}));function ss(e,t,n,r,i,a){var o=e[Pe];if(yt||o!==n||o===void 0){var s=ts(n,r,a);(!yt||s!==e.getAttribute(`class`))&&(s==null?e.removeAttribute(`class`):t?e.classNam... ... L44: `),Dp=async e=>{let t=typeof e==`string`?new Blob([e],{type:`text/plain`}):e,n=new FileReader;return new Promise((e,r)=>{n.onload=()=>{e(n.result)},n.onerror=()=>{r(n.error)},n.rea... L45: \r  `),hm=(e,t)=>new $p(`missing-syntax`,e,e+t.length,t),gm=(...e)=>new $p(...e)}));function Mee(e,t){let{node:n,pattern:r}=t,{functionRef:i=n,attributes:a=null,declaration:o=n,exp... L46: `)}},tg.defaultYaml={explicit:!1,version:`1.2`},tg.defaultTags={"!!":`tag:yaml.org,2002:`}}));function rg(e){if(/[\x00-\x19\s,[\]{}]/.test(e)){let t=`Anchor must n…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/gitbase-cms.mjsView on unpkg · L1

Findings

3 Critical1 High3 Medium2 Low
CriticalDownload Executedist/gitbase-cms.js
CriticalTrojan Source Unicodedist/gitbase-cms.js
CriticalTrigger Reachable Dangerous Capabilitydist/gitbase-cms.mjs
HighChild Processdist/gitbase-cms.js
MediumDynamic Requiredist/gitbase-cms.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings