registry  /  chaite  /  1.11.0

chaite@1.11.0

core for chatgpt-plugin and karin-plugin-chatgpt

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed package-initiated malicious action was found. The package provides configurable agent, workflow, tool, and server capabilities that can execute consumer-supplied code or expressions.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A consumer configures and invokes dynamic modules, workflow conditions, trusted tool entries, or a remote sandbox.
Impact
Unsafe consumer configuration could execute code; no stealth, install-time, or unsolicited execution chain is present.
Mechanism
Consumer-configured dynamic module loading, expression evaluation, and tool execution.
Rationale
Source inspection does not support a malicious verdict, but the exported dynamic-code and tool-execution capabilities are dangerous if an integrator exposes them to untrusted input. Treat as a warn-level dual-use package rather than a block.
Evidence
package.jsondist/index.mjsdist/chunks/@google/genai/index.mjs-B9fCpHLR.mjsdist/chunks/lop/index.mjs-BWbOMJZv.mjsREADME.md

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • dist/index.mjs exports saveAndLoadModule, which writes supplied JavaScript then dynamically imports it.
  • dist/index.mjs evaluates workflow condition expressions with new Function.
  • dist/index.mjs can spawn configured trusted tool modules and can POST configured tool payloads to a remote sandbox.
Evidence against
  • package.json has no preinstall, install, or postinstall lifecycle hook.
  • dist/index.mjs has no package-owned hard-coded external endpoint; network base URLs are caller configuration.
  • No source evidence of environment harvesting or credential exfiltration.
  • Google metadata URLs occur in the bundled @google/genai dependency chunk, not package-specific attack logic.
  • Child-process execution is documented for configured trusted tools, with timeout and restricted supplied environment.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 123 file(s), 7.02 MB of source, external domains: 169.254.169.254, accounts.google.com, aiplatform.googleapis.com, alova.js.org, api.anthropic.com, api.iconify.design, api.openai.com, api.simplesvg.com, api.unisvg.com, cloud.google.com, cloudresourcemanager.googleapis.com, developer.mozilla.org, docs.anthropic.com, docs.chaite.cloud, docs.expo.dev, dom.spec.whatwg.org, dub.sh, example.com, fetch.spec.whatwg.org, generativelanguage.googleapis.com, git.io, github.com, goo.gl, help.openai.com, html.spec.whatwg.org, jimmy.warting.se, metadata.google.internal, oauth2.googleapis.com, purl.oclc.org, schemas.microsoft.com, schemas.openxmlformats.org, schemas.zwobble.org, stackoverflow.com, stuk.github.io, vuejs.org, w3c.github.io, www.chaite.cloud, www.google.com, www.googleapis.com, www.gstatic.com, www.naiveui.com, www.saxproject.org, www.w3.org

Source & flagged code

8 flagged · loading source
frontend/build/assets/index-CHzJdK6G.jsView file
3082L3083: For detailed: https://alova.js.org/error#${n}`:"")),this.name=`[alova${t?`/${t}`:""}]`}}const D7=(e="")=>(t,o,n)=>{if(!t)throw Ao(F7,e,o,n)},N_=()=>{const e={};return{eventMap:e,on... L3084: https://github.com/highlightjs/highlight.js/issues/2277`),fo=Ie,Ut=et),vt===void 0&&(vt=!0);const hn={code:Ut,language:fo};Pl("before:highlight",hn);const or=hn.result?hn.result:te...
High
Child Process

Package source references child process execution.

frontend/build/assets/index-CHzJdK6G.jsView on unpkg · L3082
dist/chunks/lop/index.mjs-BWbOMJZv.mjsView file
1076try { L1077: render = new Function(argument, "_", source); L1078: } catch (e) {
High
Eval

Package source references dynamic code evaluation.

dist/chunks/lop/index.mjs-BWbOMJZv.mjsView on unpkg · L1076
dist/index.mjsView file
1import { s as __toESM } from "./rolldown-runtime-DVriDoez.mjs"; L2: import { t as __dirname } from "./__dirname-BYuaqN8u.mjs"; L3: import "./chunks/lop/index.mjs-BWbOMJZv.mjs"; ... L13: import "./chunks/dingbat-to-unicode/index.mjs-DjR5pQCM.mjs"; L14: import { t as axios_default } from "./chunks/axios/index.mjs-Dt6hQziM.mjs"; L15: import "./chunks/accepts/index.mjs-CtXuJELB.mjs"; ... L39: import * as crypto from "node:crypto"; L40: import { spawn } from "node:child_process"; L41: ... L69: fromString(str) { L70: return JSON.parse(str); L71: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.mjsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/index.mjs L1: import { s as __toESM } from "./rolldown-runtime-DVriDoez.mjs"; L2: import { t as __dirname } from "./__dirname-BYuaqN8u.mjs"; L3: import "./chunks/lop/index.mjs-BWbOMJZv.mjs"; ... L13: import "./chunks/dingbat-to-unicode/index.mjs-DjR5pQCM.mjs"; L14: import { t as axios_default } from "./chunks/axios/index.mjs-Dt6hQziM.mjs"; L15: import "./chunks/accepts/index.mjs-CtXuJELB.mjs"; ... L39: import * as crypto from "node:crypto"; L40: import { spawn } from "node:child_process"; L41: ... L69: fromString(str) { L70: return JSON.parse(str); L71: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.mjsView on unpkg · L1
1Cross-file remote execution chain: dist/index.mjs spawns dist/chunks/@anthropic-ai/sdk/index.mjs-sKjldQtK.mjs; helper contains network access plus dynamic code execution. L1: import { s as __toESM } from "./rolldown-runtime-DVriDoez.mjs"; L2: import { t as __dirname } from "./__dirname-BYuaqN8u.mjs"; L3: import "./chunks/lop/index.mjs-BWbOMJZv.mjs"; ... L13: import "./chunks/dingbat-to-unicode/index.mjs-DjR5pQCM.mjs"; L14: import { t as axios_default } from "./chunks/axios/index.mjs-Dt6hQziM.mjs"; L15: import "./chunks/accepts/index.mjs-CtXuJELB.mjs"; ... L39: import * as crypto from "node:crypto"; L40: import { spawn } from "node:child_process"; L41: ... L69: fromString(str) { L70: return JSON.parse(str); L71: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.mjsView on unpkg · L1
666try { L667: const module = await import(`${`file://${path$1.resolve(filePath)}`}?update=${Date.now()}`); L668: if (!("default" in module)) return null;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.mjsView on unpkg · L666
dist/chunks/cookie-signature/index.mjs-CbpUR0b7.mjsView file
14* @return {String} L15: * @api private L16: */ ... L19: if ("string" != typeof secret) throw new TypeError("Secret string must be provided."); L20: return val + "." + crypto.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, ""); L21: };
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunks/cookie-signature/index.mjs-CbpUR0b7.mjsView on unpkg · L14
dist/chunks/@google/genai/index.mjs-B9fCpHLR.mjsView file
8L9: //#region node_modules/.pnpm/base64-js@1.5.1/node_modules/base64-js/index.js L10: var require_base64_js = /* @__PURE__ */ __commonJS({ "node_modules/.pnpm/base64-js@1.5.1/node_modules/base64-js/index.js": ((exports) => { ... L99: var require_safe_buffer = /* @__PURE__ */ __commonJS({ "node_modules/.pnpm/safe-buffer@5.2.1/node_modules/safe-buffer/index.js": ((exports, module) => { L100: /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */ L101: var buffer = __require("buffer"); ... L350: //#endregion L351: //#region node_modules/.pnpm/gaxios@7.1.3/node_modules/gaxios/package.json L352: var require_package$1 = /* @__PURE__ */ __commonJS({ "node_modules/.pnpm/gaxios@7.1.3/node_modules/gaxios/package.json": ((exports, module) => { ... L639: if (!obj || typeof obj !== "object") return; L640: else if (obj instanceof FormData || obj instanceof URLSearchParams || "forEach" in obj && "set" in obj) obj.forEach((_, key) => { L641: if (["grant_type", "assertion"].includes(key) || /secret/.test(key)) obj.set(key, REDACT);
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/chunks/@google/genai/index.mjs-B9fCpHLR.mjsView on unpkg · L8

Findings

2 Critical5 High4 Medium7 Low
CriticalCredential Exfiltrationdist/index.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/index.mjs
HighChild Processfrontend/build/assets/index-CHzJdK6G.js
HighShell
HighEvaldist/chunks/lop/index.mjs-BWbOMJZv.mjs
HighCloud Metadata Accessdist/chunks/@google/genai/index.mjs-B9fCpHLR.mjs
HighCross File Remote Execution Contextdist/index.mjs
MediumDynamic Requiredist/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/chunks/cookie-signature/index.mjs-CbpUR0b7.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings