registry  /  dirac-lang  /  0.1.94

dirac-lang@0.1.94

LLM-Augmented Declarative Execution

AI Security Review

scanned 8d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes dirac/dish CLI, runs a Dirac file, starts shell, or starts agent daemon.
Impact
A malicious or unsafe Dirac program/model response could execute local commands or write package-owned state, but no unconsented lifecycle delivery was observed.
Mechanism
User-invoked LLM code execution and shell command tags
Policy narrative
A user can run Dirac code that asks an LLM to generate Dirac XML and, with execute mode, immediately interpret the result. The same runtime includes a documented <system> tag for shell commands and an explicit CLI command that starts a detached package-owned local session daemon under ~/.dirac. This is dangerous agentic capability, but inspection did not find install-time execution, credential harvesting, exfiltration, or foreign AI-agent control-surface mutation.
Rationale
The scanner findings map to package-aligned, user-invoked agentic execution features rather than a concrete malicious delivery path. Because the package intentionally enables LLM-driven code and shell execution, warn for dangerous capability instead of publish-blocking as malware.
Evidence
package.jsonREADME.mddist/cli.jsdist/index.jsdist/chunk-6CVWLZYL.jsdist/agent-L6C3Z2YG.jsdist/chunk-3MD2NFUM.jslib/native-tags.diconfig.yml~/.dirac/config.yml~/.dirac/shell-init.di~/.dirac/session.pid~/.dirac/session.sock~/.dirac/agent.log~/.dirac/lib/<timestamp>/<subroutine>.di
Network endpoints3
localhost:11434/api/generatelocalhost:5001/chat${host}:${port}/api/embeddings

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • README.md documents LLM-generated Dirac code that can immediately execute system commands.
  • dist/chunk-6CVWLZYL.js implements <system> via child_process exec/spawn, including background shell execution.
  • dist/chunk-6CVWLZYL.js supports <llm execute="true"> executing model output as Dirac code.
  • dist/agent-L6C3Z2YG.js starts a detached package-owned session daemon under ~/.dirac when user runs dirac agent start.
Evidence against
  • package.json has no npm lifecycle scripts, so suspicious code is not install-time triggered.
  • dist/index.js only exports APIs and imports modules; no observed import-time exfiltration or persistence.
  • dist/cli.js activates file execution, shell, or agent behavior only from explicit CLI commands.
  • No writes to foreign AI-agent control surfaces such as Claude/Codex/Cursor/MCP configs were found.
  • Network use is aligned with configured LLM providers or local embedding/custom LLM endpoints.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 244 KB of source

Source & flagged code

5 flagged · loading source
dist/agent-L6C3Z2YG.jsView file
15import os from "os"; L16: import { spawn } from "child_process"; L17: var AGENT_DIR = path.join(os.homedir(), ".dirac");
High
Child Process

Package source references child process execution.

dist/agent-L6C3Z2YG.jsView on unpkg · L15
dist/chunk-6CVWLZYL.jsView file
matchType = previous_version_dangerous_delta matchedPackage = dirac-lang@0.1.92 matchedIdentity = npm:ZGlyYWMtbGFuZw:0.1.92 similarity = 0.913 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-6CVWLZYL.jsView on unpkg
1662import { promisify } from "util"; L1663: var execAsync = promisify(exec); L1664: async function executeSystem(session, element) {
High
Shell

Package source references shell execution.

dist/chunk-6CVWLZYL.jsView on unpkg · L1662
299async function registerExtendChain(session, subroutine, currentName) { L300: const { executeSubroutine: executeSubroutine2 } = await import("./subroutine-7JJKHTV4.js"); L301: const extendsAttr = subroutine.attributes.extends;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-6CVWLZYL.jsView on unpkg · L299
dist/shell-3FJRBNSJ.jsView file
20Cross-file remote execution chain: dist/shell-3FJRBNSJ.js spawns dist/chunk-6CVWLZYL.js; helper contains network access plus dynamic code execution. L20: import yaml from "js-yaml"; L21: var HISTORY_FILE = path.join(os.homedir(), ".dirac_history"); L22: var MAX_HISTORY = 1e3; ... L41: input: process.stdin, L42: output: process.stdout, L43: prompt: "> ", ... L86: ]; L87: const envVarNames = Object.keys(process.env).filter( L88: (name) => commonEnvVars.includes(name) || name.startsWith("DIRAC_") || name.startsWith("TELEGRAM_") ... L588: try { L589: formattedValue = JSON.stringify(JSON.parse(v.value), null, 2); L590: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/shell-3FJRBNSJ.jsView on unpkg · L20

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltadist/chunk-6CVWLZYL.js
HighChild Processdist/agent-L6C3Z2YG.js
HighShelldist/chunk-6CVWLZYL.js
HighCross File Remote Execution Contextdist/shell-3FJRBNSJ.js
MediumDynamic Requiredist/chunk-6CVWLZYL.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings