AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is an LLM-augmented execution language with explicit shell, file, scheduling, daemon, and LLM capabilities that are documented and user-invoked.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs dirac/dish CLI, starts agent, or executes Dirac programs using powerful tags.
Impact
User-authored or LLM-generated Dirac code can execute shell commands, read/write selected files, call LLM endpoints, and run scheduled tasks.
Mechanism
documented interpreter and interactive shell capabilities
Rationale
The high-risk primitives are real but match the package's stated purpose as a user-invoked agentic execution language, and I found no lifecycle trigger, hidden import-time behavior, credential exfiltration, or unconsented persistence. Treat as dangerous-by-design tooling rather than malware.
Evidence
package.jsondist/cli.jsdist/index.jsdist/chunk-R42DSFUB.jsdist/chunk-PKLOBITC.jsdist/chunk-PPH7KYKH.jsdist/shell-U5L7KXSV.jsdist/agent-OP5VWQN3.jslib/native-tags.diREADME.md~/.dirac/config.yml~/.dirac/shell-init.di~/.dirac/session.pid~/.dirac/agent.loguser-specified input/output/config paths
Network endpoints3
localhost:11434/api/generatelocalhost:5001/chatlocalhost:11434/api/embeddings
Decision evidence
public snapshotAI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/chunk-PKLOBITC.js implements user-invoked <system> shell execution and background spawn.
- dist/chunk-PKLOBITC.js has LLM execute/code-generation features and dynamic module import via <require_module>.
- dist/shell-U5L7KXSV.js interactive shell runs typed commands through user's shell.
- dist/agent-OP5VWQN3.js can start a user-requested local daemon under ~/.dirac.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- dist/index.js only exports library APIs; no obvious import-time execution beyond module initialization.
- CLI execution requires user commands or input files; source reads config/input files by explicit CLI paths or conventional config.
- Network use is package-aligned LLM/embedding calls to OpenAI/Anthropic SDKs or configured/local LLM endpoints.
- File writes are user-invoked language features: output/save/edit/history/agent pid-log files.
- No credential harvesting or exfiltration path found; env vars are used as API/config inputs.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
4 flagged · loading sourcedist/chunk-PKLOBITC.jsView file
1577// src/tags/system.ts
L1578: import { exec, spawn } from "child_process";
L1579: import { promisify } from "util";
High
Child Process
Package source references child process execution.
dist/chunk-PKLOBITC.jsView on unpkg · L15771579import { promisify } from "util";
L1580: var execAsync = promisify(exec);
L1581: async function executeSystem(session, element) {
High
299async function registerExtendChain(session, subroutine, currentName) {
L300: const { executeSubroutine: executeSubroutine2 } = await import("./subroutine-7JJKHTV4.js");
L301: const extendsAttr = subroutine.attributes.extends;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/chunk-PKLOBITC.jsView on unpkg · L299dist/shell-U5L7KXSV.jsView file
20Cross-file remote execution chain: dist/shell-U5L7KXSV.js spawns dist/chunk-PKLOBITC.js; helper contains network access plus dynamic code execution.
L20: import yaml from "js-yaml";
L21: var HISTORY_FILE = path.join(os.homedir(), ".dirac_history");
L22: var MAX_HISTORY = 1e3;
...
L41: input: process.stdin,
L42: output: process.stdout,
L43: prompt: "> ",
...
L86: ];
L87: const envVarNames = Object.keys(process.env).filter(
L88: (name) => commonEnvVars.includes(name) || name.startsWith("DIRAC_") || name.startsWith("TELEGRAM_")
...
L588: try {
L589: formattedValue = JSON.stringify(JSON.parse(v.value), null, 2);
L590: } catch {
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/shell-U5L7KXSV.jsView on unpkg · L20Findings
3 High3 Medium3 Low
HighChild Processdist/chunk-PKLOBITC.js
HighShelldist/chunk-PKLOBITC.js
HighCross File Remote Execution Contextdist/shell-U5L7KXSV.js
MediumDynamic Requiredist/chunk-PKLOBITC.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings