registry  /  dirac-lang  /  0.1.95

dirac-lang@0.1.95

LLM-Augmented Declarative Execution

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a Dirac language interpreter/CLI with explicit user-invoked shell, eval, LLM, and agent features.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes the dirac/dish CLI or calls exported execution APIs with Dirac source.
Impact
Dangerous primitives are available to Dirac programs, but static inspection did not show unconsented install/import-time abuse or hidden exfiltration.
Mechanism
Interpreter executes user-authored language tags and configured LLM calls.
Rationale
Static source inspection shows powerful interpreter capabilities, but they are exposed as documented/user-triggered runtime features with no lifecycle hook, import-time execution, hidden credential collection, or unsolicited remote execution chain. The scanner signals are explainable by package-aligned shell, eval, LLM, and agent functionality.
Evidence
package.jsondist/index.jsdist/cli.jsdist/chunk-NUNYBLVJ.jsdist/chunk-PPH7KYKH.jsdist/agent-SVKTURXE.jsdist/chunk-IFBJYN2F.jsdist/shell-SUNLGPOM.js
Network endpoints3
localhost:11434/api/generatelocalhost:5001/chatlocalhost:11434/api/embeddings

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/chunk-NUNYBLVJ.js exposes user-invoked <system> shell execution and <eval> AsyncFunction in the Dirac language runtime.
  • dist/chunk-NUNYBLVJ.js and dist/chunk-PPH7KYKH.js can call LLM/embedding endpoints using env/config-selected providers.
  • dist/agent-SVKTURXE.js starts a user-commanded background agent and writes under ~/.dirac.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • dist/index.js import exports APIs without starting processes, network calls, or shell commands.
  • dist/cli.js only runs when bin is invoked and reads explicit input/config files before executing Dirac code.
  • Network use is package-aligned LLM/custom-local provider behavior, not hidden exfiltration.
  • No credential harvesting loop, broad filesystem scan, remote payload download, or AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 246 KB of source

Source & flagged code

5 flagged · loading source
dist/chunk-NUNYBLVJ.jsView file
matchType = previous_version_dangerous_delta matchedPackage = dirac-lang@0.1.94 matchedIdentity = npm:ZGlyYWMtbGFuZw:0.1.94 similarity = 0.957 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-NUNYBLVJ.jsView on unpkg
1716// src/tags/system.ts L1717: import { exec, spawn } from "child_process"; L1718: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/chunk-NUNYBLVJ.jsView on unpkg · L1716
1718import { promisify } from "util"; L1719: var execAsync = promisify(exec); L1720: async function executeSystem(session, element) {
High
Shell

Package source references shell execution.

dist/chunk-NUNYBLVJ.jsView on unpkg · L1718
299async function registerExtendChain(session, subroutine, currentName) { L300: const { executeSubroutine: executeSubroutine2 } = await import("./subroutine-7JJKHTV4.js"); L301: const extendsAttr = subroutine.attributes.extends;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-NUNYBLVJ.jsView on unpkg · L299
dist/shell-SUNLGPOM.jsView file
20Cross-file remote execution chain: dist/shell-SUNLGPOM.js spawns dist/chunk-NUNYBLVJ.js; helper contains network access plus dynamic code execution. L20: import yaml from "js-yaml"; L21: var HISTORY_FILE = path.join(os.homedir(), ".dirac_history"); L22: var MAX_HISTORY = 1e3; ... L41: input: process.stdin, L42: output: process.stdout, L43: prompt: "> ", ... L86: ]; L87: const envVarNames = Object.keys(process.env).filter( L88: (name) => commonEnvVars.includes(name) || name.startsWith("DIRAC_") || name.startsWith("TELEGRAM_") ... L588: try { L589: formattedValue = JSON.stringify(JSON.parse(v.value), null, 2); L590: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/shell-SUNLGPOM.jsView on unpkg · L20

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltadist/chunk-NUNYBLVJ.js
HighChild Processdist/chunk-NUNYBLVJ.js
HighShelldist/chunk-NUNYBLVJ.js
HighCross File Remote Execution Contextdist/shell-SUNLGPOM.js
MediumDynamic Requiredist/chunk-NUNYBLVJ.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings