registry  /  diffai-sensioerp  /  0.2.0

diffai-sensioerp@0.2.0

Local-AI powered git diff analyzer. Produces a structured technical summary (JSON) of what changed, with zero cloud dependencies.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked git diff analyzer that may send changed code chunks to local Ollama or OpenAI based on configuration/environment.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the diffai CLI analyze or health command.
Impact
Changed source chunks may be transmitted to OpenAI when OPENAI_API_KEY_CHECKLIST is configured; otherwise local Ollama is used.
Mechanism
User-invoked AI analysis of git diffs with optional OpenAI backend
Rationale
Static inspection shows expected CLI behavior for an AI git-diff analyzer, with explicit local/Ollama and optional OpenAI paths and no install-time execution or covert exfiltration. Scanner credential-exfiltration hints appear to be the OpenAI API key used only as an Authorization header for the documented OpenAI API calls.
Evidence
package.jsonpackages/cli/dist/bin.jspackages/cli/dist/chunk-KQT4GSWI.jsREADME.md.env.diffai/cache.diffai/analysis.jsondocs/analysis.md
Network endpoints2
localhost:11434api.openai.com/v1

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • packages/cli/dist/chunk-KQT4GSWI.js reads OPENAI_API_KEY_CHECKLIST and uses it as OpenAI Authorization header.
  • packages/cli/dist/chunk-KQT4GSWI.js can POST changed code chunks to configured OpenAI /chat/completions when the env var is set.
  • CLI writes analysis outputs and cache under user-configured paths such as .diffai/analysis.json, docs/analysis.md, and .diffai/cache.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script.
  • packages/cli/dist/bin.js only invokes createProgram().parseAsync(process.argv), so behavior is CLI user-invoked.
  • Default AI endpoint is local Ollama at http://localhost:11434 unless OPENAI_API_KEY_CHECKLIST is present or config forces OpenAI.
  • Network destinations are package-aligned AI providers: localhost Ollama and https://api.openai.com/v1.
  • No broad credential/file harvesting, persistence, destructive install-time behavior, or AI-agent control-surface mutation found.
  • File deletion is limited to generated cache/docs/summary cleanup on branch-state changes.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 65.0 KB of source, external domains: api.openai.com

Source & flagged code

3 flagged · loading source
packages/cli/dist/chunk-KQT4GSWI.jsView file
20const suffix = meta === void 0 ? "" : ` ${stringify(meta)}`; L21: process.stderr.write(`[diffai:${level}] ${message}${suffix} L22: `); ... L163: model: z3.string().default("qwen2.5-coder:7b"), L164: baseUrl: z3.string().url().default("http://localhost:11434"), L165: temperature: z3.number().min(0).max(2).default(0.1), ... L175: var GitConfigSchema = z3.object({ L176: cwd: z3.string().default(() => process.cwd()), L177: /** Base ref to diff against. When omitted the provider defaults to HEAD. */ ... L342: const raw = await readFile(join(cwd, name), "utf8"); L343: return JSON.parse(raw); L344: } catch {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

packages/cli/dist/chunk-KQT4GSWI.jsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> packages/cli/dist/bin.js -> packages/cli/dist/chunk-KQT4GSWI.js L20: const suffix = meta === void 0 ? "" : ` ${stringify(meta)}`; L21: process.stderr.write(`[diffai:${level}] ${message}${suffix} L22: `); ... L163: model: z3.string().default("qwen2.5-coder:7b"), L164: baseUrl: z3.string().url().default("http://localhost:11434"), L165: temperature: z3.number().min(0).max(2).default(0.1), ... L175: var GitConfigSchema = z3.object({ L176: cwd: z3.string().default(() => process.cwd()), L177: /** Base ref to diff against. When omitted the provider defaults to HEAD. */ ... L342: const raw = await readFile(join(cwd, name), "utf8"); L343: return JSON.parse(raw); L344: } catch {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

packages/cli/dist/chunk-KQT4GSWI.jsView on unpkg · L20
20const suffix = meta === void 0 ? "" : ` ${stringify(meta)}`; L21: process.stderr.write(`[diffai:${level}] ${message}${suffix} L22: `); ... L163: model: z3.string().default("qwen2.5-coder:7b"), L164: baseUrl: z3.string().url().default("http://localhost:11434"), L165: temperature: z3.number().min(0).max(2).default(0.1), ... L175: var GitConfigSchema = z3.object({ L176: cwd: z3.string().default(() => process.cwd()), L177: /** Base ref to diff against. When omitted the provider defaults to HEAD. */ ... L342: const raw = await readFile(join(cwd, name), "utf8"); L343: return JSON.parse(raw); L344: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

packages/cli/dist/chunk-KQT4GSWI.jsView on unpkg · L20

Findings

2 Critical2 Medium5 Low
CriticalCredential Exfiltrationpackages/cli/dist/chunk-KQT4GSWI.js
CriticalTrigger Reachable Dangerous Capabilitypackages/cli/dist/chunk-KQT4GSWI.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptopackages/cli/dist/chunk-KQT4GSWI.js
LowFilesystem
LowUrl Strings