registry  /  @panguard-ai/panguard  /  1.8.4

@panguard-ai/panguard@1.8.4

Panguard AI - Unified security CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; source closely matched a different package identity
Trigger
User runs `pga setup`, `pga hook install`, or `pga persist`.
Impact
The package can influence supported agent tool execution after the user opts into configuration; no unconsented lifecycle mutation is established.
Mechanism
Explicit AI-agent hook/MCP configuration and optional local persistence setup.
Rationale
Static inspection does not support a malicious verdict: the lifecycle hook is informational and high-impact changes require explicit commands. The broad AI-agent hook capability remains a meaningful user-invoked control-surface risk.
Evidence
package.jsonbin/panguard.cjsdist/cli/commands/setup.jsdist/cli/commands/hook.jsdist/cli/commands/persist.jsdist/cli/commands/upgrade.js~/.claude/settings.json~/.codex/hooks.json~/.gemini/settings.json~/.cursor/hooks.json~/.codeium/windsurf/hooks.json~/Documents/Cline/Rules/Hooks/PreToolUse
Network endpoints2
app.panguard.aitc.panguard.ai

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli/commands/setup.js` explicitly configures detected AI-agent platforms via MCP injection.
  • `dist/cli/commands/hook.js` can register `pga hook run` in Claude, Codex, Gemini, Cursor, Windsurf, and Cline hook configs.
  • `dist/cli/commands/persist.js` provides a user-invoked persistence command.
  • `dist/cli/commands/upgrade.js` runs a global npm install when `panguard upgrade` is invoked.
Evidence against
  • `package.json` postinstall only prints a quick-start message.
  • `bin/panguard.cjs` only imports the local CLI entrypoint.
  • Agent configuration mutation is behind explicit CLI commands, not install-time execution.
  • Network use is tied to login/account and named Panguard endpoints; no source-confirmed credential harvesting or payload download.
  • No `eval`, VM execution, remote code loader, or destructive install-time behavior was found in inspected files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 62 file(s), 608 KB of source, external domains: 127.0.0.1, app.panguard.ai, clawhub.ai, github.com, ollama.com, panguard.ai, raw.githubusercontent.com, registry.npmjs.org, tc.panguard.ai

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "console.log('\n Panguard AI v' + require('./package.json').version + ' installed.\n\n Quick start:\n pga Open interactive menu\n pga up Star...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "console.log('\n Panguard AI v' + require('./package.json').version + ' installed.\n\n Quick start:\n pga Open interactive menu\n pga up Star...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/init/environment.jsView file
12import { join } from 'node:path'; L13: import { execFile } from 'node:child_process'; L14: /**
High
Child Process

Package source references child process execution.

dist/init/environment.jsView on unpkg · L12
dist/cli/device-flow.jsView file
113if (platform === 'win32') { L114: // `start` is a cmd builtin, so we have to go through cmd.exe. L115: // Empty string as first arg is a quirk of `start` to support quoted URLs.
High
Shell

Package source references shell execution.

dist/cli/device-flow.jsView on unpkg · L113
bin/panguard.cjsView file
3// Windows paths (C:\...) are not valid ESM specifiers. L4: // This wrapper converts the path to a file:// URL before import(). L5: const { join } = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/panguard.cjsView on unpkg · L3
dist/cli/commands/persist.jsView file
15import { homedir, platform } from 'node:os'; L16: import { execFile } from 'node:child_process'; L17: /** ... L25: export const SERVICE_PLIST_BASENAME = `${SERVICE_LABEL}.plist`; L26: const DATA_DIR = join(homedir(), '.panguard-guard'); L27: function plistPath() { ... L79: * (user LaunchAgent, no sudo). Idempotent: if our plist already exists we don't L80: * rewrite it, but we still `launchctl load` (harmless if already loaded) so a L81: * present-but-unloaded service is brought up. The service itself runs the
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/commands/persist.jsView on unpkg · L15
dist/cli/commands/up.jsView file
23const t = (lang, en, zh) => (lang === 'zh-TW' ? zh : en); L24: const TC_ENDPOINT = 'https://tc.panguard.ai'; L25: function openBrowser(url) { ... L27: if (os === 'win32') { L28: // Hardcode cmd.exe path — never trust COMSPEC env var (attacker-controllable) L29: const systemRoot = process.env['SystemRoot'] || 'C:\\Windows'; L30: const cmd = `${systemRoot}\\System32\\cmd.exe`;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/commands/up.jsView on unpkg · L23
dist/cli/telemetry.jsView file
7*/ L8: const TC_ENDPOINT = 'https://tc.panguard.ai'; L9: /** ... L27: export function getLocalPlatform() { L28: return `${process.platform}-${process.arch}`; L29: } ... L52: headers: { 'Content-Type': 'application/json' }, L53: body: JSON.stringify({ L54: event_type: `cli_${event.event}`, ... L86: const pathMod = await import('node:path'); L87: const dataDir = pathMod.join(process.env['HOME'] ?? process.env['USERPROFILE'] ?? '.', '.panguard-guard'); L88: const tc = await ThreatCloudClient.create(TC_ENDPOINT, dataDir);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/telemetry.jsView on unpkg · L7
dist/cli/commands/upgrade.jsView file
14try { L15: execSync('npm install -g @panguard-ai/panguard@latest', { L16: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/commands/upgrade.jsView on unpkg · L14
dist/cli/commands/setup.jsView file
matchType = package_source_clone_identity_mismatch matchedPackage = panguard@1.8.3 matchedPath = bin/panguard.cjs matchedIdentity = npm:cGFuZ3VhcmQ:1.8.3 similarity = 1.000 shingleOverlap = 61 summary = source files closely matched a different published package identity
High
Package Source Clone Identity Mismatch

Package source closely matches a different published package identity; review for dependency-confusion or copied-code abuse.

dist/cli/commands/setup.jsView on unpkg

Findings

1 Critical7 High5 Medium4 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/init/environment.js
HighShelldist/cli/device-flow.js
HighSame File Env Network Executiondist/cli/commands/up.js
HighSandbox Evasion Gated Capabilitydist/cli/telemetry.js
HighRuntime Package Installdist/cli/commands/upgrade.js
HighPackage Source Clone Identity Mismatchdist/cli/commands/setup.js
MediumDynamic Requirebin/panguard.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/commands/persist.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings