Flagged as agent extension risk
Allowed by default with warning: install-time first-party agent extension setup was detected.
@3.3.4
Antigravity Workflow Unified AI agent orchestration system
AI Security Reviewscanned 9h ago · by lpm-firewall-ai LPM treats this as warn-only first-party agent extension lifecycle risk. Importing the package performs update checks. Explicit `awkit install` downloads remote bundles, writes them into global AI-agent runtime directories, and may execute a remote Agy installer script in non-TTY mode.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Import the package, or run `awkit install`; shell wrappers require `awkit rtk shell-on`.
Impact
Remote content can become global agent workflows/skills, and the selected Agy installer executes with the invoking user's privileges.
Mechanism
Import-time update checks plus explicit remote-download, shell-execution, and AI-agent configuration setup.
Rationale
Source inspection confirms risky remote installation and global agent-control-surface mutation behind explicit commands, including a remote script pipe. Because the root package has no npm lifecycle hook and no confirmed exfiltration or stealth behavior, this warrants a warning rather than a block.
Evidence
package.json bin/awk.js scripts/dependency-manager.js symphony/package.json symphony/scripts/postinstall.js ~/.awkit/config.json ~/.codex/AGENTS.md ~/.agents/skills ~/.zshrc
Network endpoints3
ai.kkvn.net /v1antigravity.google /cli/install.sh
api.github.com /repos/rtk-ai/rtk/releases/latest
Decision evidencepublic snapshot AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
`bin/awk.js` runs update checks on package import via `checkAutoUpdate`. `awkit install` downloads authenticated ZIP bundles from the configurable default `https://ai.kkvn.net/v1` and extracts them. The installer copies workflows, skills, scripts, and rules into global AI-agent roots including `~/.codex` and `~/.agents/skills`. Non-TTY `awkit install` selects `agy` and can execute `curl ... install.sh | bash`. `awkit rtk shell-on` explicitly writes wrappers for npm, pnpm, yarn, cargo, and git into `~/.zshrc`. Evidence against
Root `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook. Agent-directory and shell changes are reached through explicit CLI commands, not npm installation. Inspected network paths implement update checks, configured package downloads, and user-requested Telegram sending; no credential-harvesting/exfiltration path was confirmed. Nested `symphony/scripts/postinstall.js` only invokes a local Next.js build and is not a root lifecycle hook. Source & flagged code30 flagged · loading source symphony/multica-ref/server/pkg/redact/redact_test.go View file 10 patternName = aws_access_key
severity = critical
line = 10
matchedText = input :=...fig"
Critical Critical Secret
Package contains a critical-looking secret pattern.
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L10 10 patternName = aws_access_key
severity = critical
line = 10
matchedText = input :=...fig"
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L10 12 patternName = aws_access_key
severity = critical
line = 12
matchedText = if strin...") {
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L12 Findings22 Critical 5 High 7 Medium 5 Low
Critical Critical Secret symphony/multica-ref/server/pkg/redact/redact_test.go
Critical Same File Env Network Execution bin/awk.js
Critical Command Output Exfiltration bin/awk.js
Critical Download Execute bin/awk.js
Critical Trigger Reachable Dangerous Capability bin/awk.js
Critical Secret Pattern symphony/multica-ref/server/pkg/redact/redact_test.go
Critical Secret Pattern symphony/multica-ref/server/pkg/redact/redact_test.go
Critical Secret Pattern symphony/multica-ref/server/pkg/redact/redact_test.go
Critical Secret Pattern symphony/multica-ref/server/pkg/redact/redact_test.go
Critical Secret Pattern symphony/multica-ref/server/pkg/redact/redact_test.go
LPM CLI
Crypto
DynamicRequire
EnvironmentVars
Eval
Filesystem
Network
Shell
WebSocket
Supply chain HighEntropyStrings UrlStrings
Manifest WildcardDependency
scanned 566 file(s), 2.92 MB of source, external domains: 10.0.0.5, 10.255.255.255, 127.0.0.1, 172.15.0.1, 172.16.0.1, 172.31.255.255, 172.32.0.1, 192.168.0.1, 192.168.1.131, 192.168.50.59, 192.169.1.1, 8.8.8.8, accounts.google.com, ai.kkvn.net, aistudio.google.com, antigravity.google, api.example.test, api.github.com, api.lucylab.io, api.telegram.org, api.trello.com, app.multica, codeload.github.com, evil.com, example.com, git.example.com, github.com, multica.ai, openrouter.ai, raw.githubusercontent.com, schema.org, trello.com, www.multica.ai, www.rtk-ai.app, www.skills.sh, x.com
22 patternName = aws_secret_key
severity = critical
line = 22
matchedText = input :=...KEY"
Critical Secret Pattern
AWS secret access key in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L22 31 patternName = private_key_rsa
severity = critical
line = 31
matchedText = input :=...ne."
Critical Secret Pattern
RSA private key in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L31 43 patternName = github_pat
severity = critical
line = 43
matchedText = input :=...lmn"
Critical Secret Pattern
GitHub personal access token in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L43 208 patternName = github_pat
severity = critical
line = 208
matchedText = input :=...lmn"
Critical Secret Pattern
GitHub personal access token in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L208 208 patternName = aws_access_key
severity = critical
line = 208
matchedText = input :=...lmn"
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L208 210 patternName = aws_access_key
severity = critical
line = 210
matchedText = if strin...") {
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L210 26 const path = require('path');
L27: const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
...
L33: const AWK_ROOT = path.join(__dirname, '..');
L34: const HOME = process.env.HOME || process.env.USERPROFILE;
L35:
Critical Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/awk.js View on unpkg · L26 26 const path = require('path');
L27: const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
L30:
L31: const packageJson = require(path.join(__dirname, '..', 'package.json'));
L32: const AWK_VERSION = packageJson.version;
L33: const AWK_ROOT = path.join(__dirname, '..');
L34: const HOME = process.env.HOME || process.env.USERPROFILE;
L35:
...
L255: // Hide cursor
L256: if (process.stdout.isTTY) {
Critical Command Output Exfiltration
Source executes local commands and sends command output to an external endpoint.
bin/awk.js View on unpkg · L26 26 const path = require('path');
L27: const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
L30:
L31: const packageJson = require(path.join(__dirname, '..', 'package.json'));
L32: const AWK_VERSION = packageJson.version;
L33: const AWK_ROOT = path.join(__dirname, '..');
L34: const HOME = process.env.HOME || process.env.USERPROFILE;
L35:
...
L255: // Hide cursor
L256: if (process.stdout.isTTY) {
1 const { generateGreeting, getGreetingHistory, getGreetingStats } = require('./index');
L2: const fs = require('fs');
Medium Dynamic Require
Package source references dynamic require/import behavior.
core/GreetingEngine/test.js View on unpkg · L1 symphony/multica-ref/docker/entrypoint.sh View file • path = symphony/multica-ref/docker/entrypoint.sh
kind = build_helper
sizeBytes = 110
magicHex = [redacted]
Medium Ships Build Helper
Package ships non-JavaScript build or shell helper files.
symphony/multica-ref/docker/entrypoint.sh View on unpkg symphony/multica-ref/apps/desktop/build/icon.icns View file • path = symphony/multica-ref/apps/desktop/build/icon.icns
kind = high_entropy_blob
sizeBytes = 1170743
magicHex = [redacted]
High Ships High Entropy Blob
Package ships high-entropy non-source blobs.
symphony/multica-ref/apps/desktop/build/icon.icns View on unpkg symphony/multica-ref/packages/views/issues/utils/redact.test.ts View file 6 patternName = aws_access_key
severity = critical
line = 6
matchedText = const re...E");
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L6 7 patternName = aws_access_key
severity = critical
line = 7
matchedText = expect(r...E");
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L7 12 patternName = aws_secret_key
severity = critical
line = 12
matchedText = const re...Y");
Critical Secret Pattern
AWS secret access key in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L12
docs/research/reverse-skills-study/fausto-ai-mobile-re/ai-mobile-reverse-skills/tools/scripts/sign_rebuilder.py View file 719 patternName = private_key_rsa
severity = critical
line = 719
matchedText = "key": "...--",
Critical Secret Pattern
RSA private key in docs/research/reverse-skills-study/fausto-ai-mobile-re/ai-mobile-reverse-skills/tools/scripts/sign_rebuilder.py
docs/research/reverse-skills-study/fausto-ai-mobile-re/ai-mobile-reverse-skills/tools/scripts/sign_rebuilder.py View on unpkg · L719 Critical
Secret Pattern
symphony/multica-ref/server/pkg/redact/redact_test.go
Critical Secret Pattern symphony/multica-ref/server/pkg/redact/redact_test.go
Critical Secret Pattern symphony/multica-ref/server/pkg/redact/redact_test.go
Critical Secret Pattern symphony/multica-ref/packages/views/issues/utils/redact.test.ts
Critical Secret Pattern symphony/multica-ref/packages/views/issues/utils/redact.test.ts
Critical Secret Pattern symphony/multica-ref/packages/views/issues/utils/redact.test.ts
Critical Secret Pattern symphony/multica-ref/packages/views/issues/utils/redact.test.ts
Critical Secret Pattern symphony/multica-ref/packages/views/issues/utils/redact.test.ts
Critical Secret Pattern symphony/multica-ref/packages/views/issues/utils/redact.test.ts
Critical Secret Pattern symphony/multica-ref/packages/views/issues/utils/redact.test.ts
Critical Secret Pattern symphony/multica-ref/packages/views/issues/utils/redact.test.ts
Critical Secret Pattern docs/research/reverse-skills-study/fausto-ai-mobile-re/ai-mobile-reverse-skills/tools/scripts/sign_rebuilder.py
High Child Process bin/awk.js
High Sandbox Evasion Gated Capability bin/awk.js
High Runtime Package Install bin/awk.js
High Ships High Entropy Blob symphony/multica-ref/apps/desktop/build/icon.icns
Medium Dynamic Require core/GreetingEngine/test.js
Medium Install Persistence bin/awk.js
Medium Ships Build Helper symphony/multica-ref/docker/entrypoint.sh
Medium Structural Risk Force Deep Review
Medium Wildcard Dependency
No install hooks · other: harvest, harvest-dry, install-global, lint +5
Behavioral surface ChildProcess Crypto DynamicRequire EnvironmentVars Eval Filesystem Network Shell WebSocket HighEntropyStrings UrlStrings WildcardDependency
Source downloads or fetches remote code and executes it.
bin/awk.js
26 Trigger-reachable chain: manifest.main -> bin/awk.js
L26: const path = require('path');
L27: const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
L30:
L31: const packageJson = require(path.join(__dirname, '..', 'package.json'));
L32: const AWK_VERSION = packageJson.version;
L33: const AWK_ROOT = path.join(__dirname, '..');
L34: const HOME = process.env.HOME || process.env.USERPROFILE;
L35:
...
L255: // Hide cursor
L256: if (process.stdout.isTTY) {
Critical Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/awk.js View on unpkg · L26 27 const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
206 const answer = execSync(
L207: `bash -c 'read -p "${question} [y/N]: " ans; echo $ans'`,
L208: { stdio: ['inherit', 'pipe', 'inherit'] }
26 const path = require('path');
L27: const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
L30:
L31: const packageJson = require(path.join(__dirname, '..', 'package.json'));
L32: const AWK_VERSION = packageJson.version;
L33: const AWK_ROOT = path.join(__dirname, '..');
L34: const HOME = process.env.HOME || process.env.USERPROFILE;
L35:
...
L255: // Hide cursor
L256: if (process.stdout.isTTY) {
High Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/awk.js View on unpkg · L26 776 try {
L777: execSync('which symphony', { stdio: 'ignore' });
L778: if (!silent) ok('Symphony CLI is installed');
...
L781: if (!silent) warn('Symphony CLI not found. Please install it manually:');
L782: if (!silent) dim(' npm install -g @leejungkiin/awkit-symphony');
L783: return false;
High Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/awk.js View on unpkg · L776 26 const path = require('path');
L27: const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
L30:
L31: const packageJson = require(path.join(__dirname, '..', 'package.json'));
L32: const AWK_VERSION = packageJson.version;
L33: const AWK_ROOT = path.join(__dirname, '..');
L34: const HOME = process.env.HOME || process.env.USERPROFILE;
L35:
...
L255: // Hide cursor
L256: if (process.stdout.isTTY) {
Medium Install Persistence
Source writes installer persistence such as shell profile or service configuration.
bin/awk.js View on unpkg · L26 17 patternName = private_key_rsa
severity = critical
line = 17
matchedText = const in...--";
Critical Secret Pattern
RSA private key in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L17 24 patternName = github_pat
severity = critical
line = 24
matchedText = const re...n");
Critical Secret Pattern
GitHub personal access token in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L24 71 patternName = github_pat
severity = critical
line = 71
matchedText = const re...n");
Critical Secret Pattern
GitHub personal access token in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L71 71 patternName = aws_access_key
severity = critical
line = 71
matchedText = const re...n");
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L71 72 patternName = aws_access_key
severity = critical
line = 72
matchedText = expect(r...E");
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L72
@leejungkiin/awkit: Suspicious npm security report (Warn) | LPM Firewall
Source & flagged code30 flagged symphony/multica-ref/server/pkg/redact/redact_test.go View file Lines 1-30 text
8 func TestRedactAWSAccessKey(t *testing.T) {
10 input := "Found key AKIAIOSFODNN7EXAMPLE in config"
Critical Critical Secret
Package contains a critical-looking secret pattern.
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L10 12 if strings.Contains(got, "AKIAIOSFODNN7EXAMPLE") {
13 t.Fatalf("AWS key not redacted: %s", got)
15 if !strings.Contains(got, "[REDACTED AWS KEY]") {
16 t.Fatalf("expected [REDACTED AWS KEY] placeholder, got: %s", got)
20 func TestRedactAWSSecretKey(t *testing.T) {
22 input := "aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
24 if strings.Contains(got, "wJalrXUtnFEMI") {
25 t.Fatalf("AWS secret not redacted: %s", got)
29 func TestRedactPrivateKey(t *testing.T) {
10 patternName = aws_access_key
severity = critical
line = 10
matchedText = input :=...fig"
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L10 12 patternName = aws_access_key
severity = critical
line = 12
matchedText = if strin...") {
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L12 22 patternName = aws_secret_key
severity = critical
line = 22
matchedText = input :=...KEY"
Critical Secret Pattern
AWS secret access key in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L22 31 patternName = private_key_rsa
severity = critical
line = 31
matchedText = input :=...ne."
Critical Secret Pattern
RSA private key in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L31 43 patternName = github_pat
severity = critical
line = 43
matchedText = input :=...lmn"
Critical Secret Pattern
GitHub personal access token in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L43 208 patternName = github_pat
severity = critical
line = 208
matchedText = input :=...lmn"
Critical Secret Pattern
GitHub personal access token in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L208 208 patternName = aws_access_key
severity = critical
line = 208
matchedText = input :=...lmn"
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L208 210 patternName = aws_access_key
severity = critical
line = 210
matchedText = if strin...") {
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/server/pkg/redact/redact_test.go
symphony/multica-ref/server/pkg/redact/redact_test.go View on unpkg · L210 Lines 6-47 javascript
8 * awkit install Install AWK into the active platform runtime
9 * awkit install -- all Install AWK into every supported platform
10 * awkit uninstall Remove
Lines 1-21 javascript
1 const { generateGreeting , getGreetingHistory , getGreetingStats } = require ( './index' );
2 const fs = require ( 'fs' );
Medium Dynamic Require
Package source references dynamic require/import behavior.
symphony/multica-ref/docker/entrypoint.sh View file • path = symphony/multica-ref/docker/entrypoint.sh
kind = build_helper
sizeBytes = 110
magicHex = [redacted]
Medium Ships Build Helper
Package ships non-JavaScript build or shell helper files.
symphony/multica-ref/docker/entrypoint.sh View on unpkg symphony/multica-ref/apps/desktop/build/icon.icns View file • path = symphony/multica-ref/apps/desktop/build/icon.icns
kind = high_entropy_blob
sizeBytes = 1170743
magicHex = [redacted]
High Ships High Entropy Blob
Package ships high-entropy non-source blobs.
symphony/multica-ref/apps/desktop/build/icon.icns View on unpkg symphony/multica-ref/packages/views/issues/utils/redact.test.ts View file 6 patternName = aws_access_key
severity = critical
line = 6
matchedText = const re...E");
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L6 7 patternName = aws_access_key
severity = critical
line = 7
matchedText = expect(r...E");
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L7 12 patternName = aws_secret_key
severity = critical
line = 12
matchedText = const re...Y");
Critical Secret Pattern
AWS secret access key in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L12
docs/research/reverse-skills-study/fausto-ai-mobile-re/ai-mobile-reverse-skills/tools/scripts/sign_rebuilder.py View file 719 patternName = private_key_rsa
severity = critical
line = 719
matchedText = "key": "...--",
Critical Secret Pattern
RSA private key in docs/research/reverse-skills-study/fausto-ai-mobile-re/ai-mobile-reverse-skills/tools/scripts/sign_rebuilder.py
docs/research/reverse-skills-study/fausto-ai-mobile-re/ai-mobile-reverse-skills/tools/scripts/sign_rebuilder.py View on unpkg · L719 AWK
from system
11 * awkit update Update to latest version
12 * awkit init Init a new mobile project with Firebase setup
13 * awkit sync Sync repo to runtime (harvest is disabled)
14 * awkit status Compare repo vs installed files (diff view)
15 * awkit harvest [Disabled] Pull from ~/ .gemini / antigravity / into repo
16 * awkit doctor Check installation health
17 * awkit tg setup Setup Telegram Bot API credentials
18 * awkit tg send Send a message via Telegram Bot API
19 * awkit build Run project build command securely based on configuration
20 * awkit version Show current version
25 const fs = require ( 'fs' );
26 const path = require ( 'path' );
27 const https = require ( 'https' );
28 const { execSync , spawnSync } = require ( 'child_process' );
29 const os = require ( 'os' );
31 const packageJson = require (path. join (__dirname, '..' , 'package.json' ));
32 const AWK_VERSION = packageJson.version;
33 const AWK_ROOT = path. join (__dirname, '..' );
34 const HOME = process.env. HOME || process.env. USERPROFILE ;
35
Critical Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/awk.js View on unpkg · L26 Critical Command Output Exfiltration
Source executes local commands and sends command output to an external endpoint.
bin/awk.js View on unpkg · L26 Critical Download Execute
Source downloads or fetches remote code and executes it.
bin/awk.js View on unpkg · L26 Medium Install Persistence
Source writes installer persistence such as shell profile or service configuration.
bin/awk.js View on unpkg · L26 36 const { generateClineRules , generateClineWorkflows , generateClineSkills } = require ( './cline-generators' );
37 const { generateCodexAgentsMd , generateCodexSkills , generateCodexAgents } = require ( './codex-generators' );
38 const { generateClaudeRules , generateClaudeSkills } = require ( './claude-generators' );
39 const { generateCursorRules , generateCursorSkills , generateCursorWorkflows } = require ( './cursor-generators' );
40 const { cmdGate } = require ( '../scripts/automation-gate' );
41 const { cmdObsidian } = require ( '../scripts/obsidian-sync' );
42 const { cmdModel } = require ( '../scripts/model-manager' );
43 const { cmdI18n } = require ( '../scripts/i18n-helper' );
44 const { cmdStorage } = require ( '../scripts/artifact-storage' );
45 const { cmdPipeline } = require ( '../scripts/multi-model-pipeline' );
46 const depManager = require ( '../scripts/dependency-manager' );
47 const rtkRuntime = require ( '../scripts/exec-rtk' );
Lines 186-226 javascript
193 function log ( msg ) { console. log (msg); }
194 function ok ( msg ) { log ( `${ C . green }✅ ${ msg }${ C . reset }` ); }
195 function warn ( msg ) { log ( `${ C . yellow }⚠️ ${ msg }${ C . reset }` ); }
196 function err ( msg ) { log ( `${ C . red }❌ ${ msg }${ C . reset }` ); }
197 function info ( msg ) { log ( `${ C . cyan }ℹ️ ${ msg }${ C . reset }` ); }
198 function dim ( msg ) { log ( `${ C . gray } ${ msg }${ C . reset }` ); }
201 * Prompt user for Y/N input synchronously (macOS/Linux only).
202 * Returns true if user answers 'y' or 'yes'.
204 function promptYN ( question ) {
206 const answer = execSync (
207 `bash -c 'read -p "${ question } [y/N]: " ans; echo $ans'` ,
208 { stdio: [ 'inherit' , 'pipe' , 'inherit' ] }
209 ). toString (). trim (). toLowerCase ();
210 return answer === 'y' || answer === 'yes' ;
217 * Prompt user for a choice, returning the raw answer string.
218 * Returns defaultVal if user presses Enter without input.
220 function promptChoice ( question , defaultVal = '' ) {
222 const answer = execSync (
223 `bash -c 'read -p "${ question } (default: ${ defaultVal }): " ans; echo $ans'` ,
224 { stdio: [ 'inherit' , 'pipe' , 'inherit' ] }
226 return answer || defaultVal;
26 Trigger-reachable chain: manifest.main -> bin/awk.js
L26: const path = require('path');
L27: const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
L30:
L31: const packageJson = require(path.join(__dirname, '..', 'package.json'));
L32: const AWK_VERSION = packageJson.version;
L33: const AWK_ROOT = path.join(__dirname, '..');
L34: const HOME = process.env.HOME || process.env.USERPROFILE;
L35:
...
L255: // Hide cursor
L256: if (process.stdout.isTTY) {
Critical Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/awk.js View on unpkg · L26 26 const path = require('path');
L27: const https = require('https');
L28: const { execSync, spawnSync } = require('child_process');
L29: const os = require('os');
L30:
L31: const packageJson = require(path.join(__dirname, '..', 'package.json'));
L32: const AWK_VERSION = packageJson.version;
L33: const AWK_ROOT = path.join(__dirname, '..');
L34: const HOME = process.env.HOME || process.env.USERPROFILE;
L35:
...
L255: // Hide cursor
L256: if (process.stdout.isTTY) {
High Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/awk.js View on unpkg · L26 776 try {
L777: execSync('which symphony', { stdio: 'ignore' });
L778: if (!silent) ok('Symphony CLI is installed');
...
L781: if (!silent) warn('Symphony CLI not found. Please install it manually:');
L782: if (!silent) dim(' npm install -g @leejungkiin/awkit-symphony');
L783: return false;
High Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/awk.js View on unpkg · L776 core/GreetingEngine/test.js
5 console. log ( "🧪 Testing Qwen's Generated GreetingEngine..." );
8 const g1 = generateGreeting ({ name: "Alice" , lang: "en" });
9 console. log ( `✅ Greeting 1: "${ g1 . data . message }"` );
11 const g2 = generateGreeting ({ name: "Bình" , lang: "vi" });
12 console. log ( `✅ Greeting 2: "${ g2 . data . message }"` );
14 const g3 = generateGreeting ({ name: "Yamada" , lang: "ja" });
15 console. log ( `✅ Greeting 3: "${ g3 . data . message }"` );
17 // Language fallback test
18 const g4 = generateGreeting ({ name: "Charlie" , lang: "fr" }); // French not supported, should fallback to English
19 console. log ( `✅ Greeting 4 (Fallback): "${ g4 . data . message }" (Language: ${ g4 . data . lang })` );
17 patternName = private_key_rsa
severity = critical
line = 17
matchedText = const in...--";
Critical Secret Pattern
RSA private key in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L17 24 patternName = github_pat
severity = critical
line = 24
matchedText = const re...n");
Critical Secret Pattern
GitHub personal access token in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L24 71 patternName = github_pat
severity = critical
line = 71
matchedText = const re...n");
Critical Secret Pattern
GitHub personal access token in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L71 71 patternName = aws_access_key
severity = critical
line = 71
matchedText = const re...n");
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L71 72 patternName = aws_access_key
severity = critical
line = 72
matchedText = expect(r...E");
Critical Secret Pattern
AWS access key ID in symphony/multica-ref/packages/views/issues/utils/redact.test.ts
symphony/multica-ref/packages/views/issues/utils/redact.test.ts View on unpkg · L72