registry  /  dirac-lang  /  0.1.97

dirac-lang@0.1.97

LLM-Augmented Declarative Execution

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is an explicitly invoked declarative execution runtime. User-supplied scripts can run shell commands, including background processes, and can execute LLM-generated runtime code.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the CLI, starts the agent, or executes a `.di`/`.bk` program containing privileged tags.
Impact
A malicious or untrusted Dirac program/prompt can execute arbitrary commands with the invoking user's privileges.
Mechanism
User-directed shell execution and optional LLM-generated program execution.
Rationale
Source inspection confirms powerful execution and persistence features but no covert install-time behavior, credential exfiltration, hard-coded external collector, or unconsented AI-agent control-surface mutation. This is a dangerous dual-use execution runtime rather than concrete package malware.
Evidence
package.jsondist/chunk-4TBIVB4X.jsdist/chunk-PPH7KYKH.jsdist/agent-MJSTQERB.jsdist/chunk-KFMG6CZW.jsREADME.md~/.dirac/session.pid~/.dirac/agent.log~/.dirac/session.sock~/.dirac/lib/~/.dirac_history
Network endpoints2
localhost:11434/api/generatelocalhost:5001/chat

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-4TBIVB4X.js` implements `<system>` with `exec` and background `spawn(..., shell:true)`.
  • `dist/chunk-4TBIVB4X.js` supports LLM-generated code execution (`<llm execute="true">`).
  • `dist/agent-MJSTQERB.js` explicitly starts a detached persistent local agent under `~/.dirac`.
  • `README.md` documents shell commands and generated-code execution as intended features.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • CLI/agent execution requires explicit `dirac` commands or interpreted user scripts.
  • LLM keys are used to configure selected LLM clients; no source path harvests or sends unrelated files/credentials.
  • Observed network code targets configured LLM providers or local defaults, not a hard-coded collector.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 254 KB of source

Source & flagged code

5 flagged · loading source
dist/shell-CY5XIPQC.jsView file
981const editor = process.env.EDITOR || process.env.VISUAL || "vi"; L982: const { spawnSync } = await import("child_process"); L983: const result = spawnSync(editor, [tempFile], {
High
Child Process

Package source references child process execution.

dist/shell-CY5XIPQC.jsView on unpkg · L981
20Cross-file remote execution chain: dist/shell-CY5XIPQC.js spawns dist/chunk-4TBIVB4X.js; helper contains network access plus dynamic code execution. L20: import yaml from "js-yaml"; L21: var HISTORY_FILE = path.join(os.homedir(), ".dirac_history"); L22: var MAX_HISTORY = 1e3; ... L41: input: process.stdin, L42: output: process.stdout, L43: prompt: "> ", ... L86: ]; L87: const envVarNames = Object.keys(process.env).filter( L88: (name) => commonEnvVars.includes(name) || name.startsWith("DIRAC_") || name.startsWith("TELEGRAM_") ... L588: try { L589: formattedValue = JSON.stringify(JSON.parse(v.value), null, 2); L590: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/shell-CY5XIPQC.jsView on unpkg · L20
dist/chunk-4TBIVB4X.jsView file
matchType = previous_version_dangerous_delta matchedPackage = dirac-lang@0.1.95 matchedIdentity = npm:ZGlyYWMtbGFuZw:0.1.95 similarity = 0.913 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-4TBIVB4X.jsView on unpkg
1739import { promisify } from "util"; L1740: var execAsync = promisify(exec); L1741: async function executeSystem(session, element) {
High
Shell

Package source references shell execution.

dist/chunk-4TBIVB4X.jsView on unpkg · L1739
299async function registerExtendChain(session, subroutine, currentName) { L300: const { executeSubroutine: executeSubroutine2 } = await import("./subroutine-7JJKHTV4.js"); L301: const extendsAttr = subroutine.attributes.extends;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-4TBIVB4X.jsView on unpkg · L299

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltadist/chunk-4TBIVB4X.js
HighChild Processdist/shell-CY5XIPQC.js
HighShelldist/chunk-4TBIVB4X.js
HighCross File Remote Execution Contextdist/shell-CY5XIPQC.js
MediumDynamic Requiredist/chunk-4TBIVB4X.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings