registry  /  dirac-lang  /  0.1.93

dirac-lang@0.1.93

LLM-Augmented Declarative Execution

AI Security Review

scanned 8d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs dirac/dish CLI, starts the agent, or executes a Dirac program using dangerous tags.
Impact
Dirac programs or LLM-generated code can execute shell commands, write files, call configured LLM/network endpoints, and schedule tasks under user control.
Mechanism
user-invoked scripting and AI-agent execution primitives
Policy narrative
A user can run the CLI or shell and execute Dirac programs that use <system>, <eval>, <llm execute="true">, cron, or the agent daemon. These are powerful package-aligned features, but inspection did not find lifecycle delivery, credential harvesting, exfiltration, persistence outside the documented ~/.dirac area, or mutation of foreign AI-agent control surfaces.
Rationale
Source inspection supports a warning for dangerous user-invoked AI scripting capabilities, not a malicious package block. The suspicious scanner findings are real primitives but are package-aligned and not triggered during install or import.
Evidence
package.jsondist/cli.jsdist/chunk-SYFYHKKI.jsdist/shell-IYJJWIQR.jsdist/agent-AQDM6UOR.jslib/ai.dilib/shell-init.di~/.dirac/config.yml~/.dirac/shell-init.di~/.dirac/lib/user~/.dirac/lib/{timestamp}~/.dirac/session.pid~/.dirac/agent.log~/.dirac_history
Network endpoints3
localhost:11434/api/generatelocalhost:5001/chat{host}:{port}/api/embeddings

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/chunk-SYFYHKKI.js implements <system> using child_process exec/spawn with shell/background support.
  • dist/chunk-SYFYHKKI.js implements <eval> via AsyncFunction with fs/path/session context.
  • lib/ai.di defines an ai helper that calls <llm execute="true">, allowing LLM-generated Dirac code execution.
  • dist/agent-AQDM6UOR.js user-invoked agent start creates ~/.dirac pid/log files and a detached daemon.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • dist/cli.js only activates shell, agent, or file execution from explicit CLI commands.
  • No code writes Claude/Codex/Cursor/MCP or other foreign AI-agent control surfaces.
  • Network calls are LLM/embedding provider features using configured OpenAI/Anthropic/local/custom endpoints.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 242 KB of source

Source & flagged code

5 flagged · loading source
dist/chunk-SYFYHKKI.jsView file
matchType = previous_version_dangerous_delta matchedPackage = dirac-lang@0.1.94 matchedIdentity = npm:ZGlyYWMtbGFuZw:0.1.94 similarity = 0.957 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-SYFYHKKI.jsView on unpkg
1617// src/tags/system.ts L1618: import { exec, spawn } from "child_process"; L1619: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/chunk-SYFYHKKI.jsView on unpkg · L1617
1619import { promisify } from "util"; L1620: var execAsync = promisify(exec); L1621: async function executeSystem(session, element) {
High
Shell

Package source references shell execution.

dist/chunk-SYFYHKKI.jsView on unpkg · L1619
299async function registerExtendChain(session, subroutine, currentName) { L300: const { executeSubroutine: executeSubroutine2 } = await import("./subroutine-7JJKHTV4.js"); L301: const extendsAttr = subroutine.attributes.extends;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-SYFYHKKI.jsView on unpkg · L299
dist/shell-IYJJWIQR.jsView file
20Cross-file remote execution chain: dist/shell-IYJJWIQR.js spawns dist/chunk-SYFYHKKI.js; helper contains network access plus dynamic code execution. L20: import yaml from "js-yaml"; L21: var HISTORY_FILE = path.join(os.homedir(), ".dirac_history"); L22: var MAX_HISTORY = 1e3; ... L41: input: process.stdin, L42: output: process.stdout, L43: prompt: "> ", ... L86: ]; L87: const envVarNames = Object.keys(process.env).filter( L88: (name) => commonEnvVars.includes(name) || name.startsWith("DIRAC_") || name.startsWith("TELEGRAM_") ... L588: try { L589: formattedValue = JSON.stringify(JSON.parse(v.value), null, 2); L590: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/shell-IYJJWIQR.jsView on unpkg · L20

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltadist/chunk-SYFYHKKI.js
HighChild Processdist/chunk-SYFYHKKI.js
HighShelldist/chunk-SYFYHKKI.js
HighCross File Remote Execution Contextdist/shell-IYJJWIQR.js
MediumDynamic Requiredist/chunk-SYFYHKKI.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings