AI Security Review
scanned 3h ago · by lpm-firewall-aiA host that explicitly enables script Hooks can execute JavaScript supplied in Hook document bodies. Network and process execution are exposed through explicit resolver APIs, not installation or import.
Static reason
No blocking static signals were detected.
Trigger
A host sets `DNA_ALLOW_HOOK_SCRIPT_EXEC=1` and calls `applyHooks()` on an untrusted Hook document.
Impact
Arbitrary code execution in the opted-in host process.
Mechanism
Opt-in compilation of data-backed Hook bodies with `new Function`.
Rationale
No concrete malicious behavior was found, but the guarded, data-backed script-Hook path is a real high-impact dangerous capability if enabled for untrusted documents. Downgrade to warn rather than block because it is disabled by default and requires explicit host opt-in.
Evidence
package.jsondist/index.jsdist/kernel/instance.jsdist/adapters/resolvers/http.jsdist/adapters/resolvers/github.jsdist/adapters/embedding/onnx.js
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/kernel/instance.js` compiles Hook `spec.body` with `new Function`.
- Script Hook bodies originate from package-managed `HOOK.md` documents.
- Execution is enabled only with `DNA_ALLOW_HOOK_SCRIPT_EXEC=1`.
- `dist/adapters/resolvers/http.js` invokes `curl` only when `HttpResolver.resolve()` is called.
- `dist/adapters/resolvers/github.js` invokes `git clone` only when `GitHubResolver.resolve()` is called.
Evidence against
- `package.json` contains no preinstall, install, or postinstall hook.
- `dist/index.js` is export-only; inspection found no import-time network or shell action.
- Default Hook behavior skips script execution and emits a warning.
- Dynamic ONNX import is an optional peer dependency used only by `embed()`.
- No credential harvesting, exfiltration endpoint, destructive action, or agent-control-surface mutation was found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/kernel/instance.jsView file
27* s-kernel-sandbox-hook-exec — whether a Hook's `action: "script"` may run
L28: * arbitrary code from `spec.body` via `new Function(...)`. OFF by default: a
L29: * Hook doc is reachable via the normal doc-write path, so executing its body is
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/kernel/instance.jsView on unpkg · L27dist/adapters/embedding/onnx.jsView file
24// type declarations are NOT installed by default, so a literal
L25: // `import("@huggingface/transformers")` would fail `tsc --noEmit` in CI
L26: // with TS2307. A string variable makes the dynamic import resolve to
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/adapters/embedding/onnx.jsView on unpkg · L24Findings
2 Medium5 Low
MediumDynamic Requiredist/adapters/embedding/onnx.js
MediumEnvironment Vars
LowScripts Present
LowEvaldist/kernel/instance.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings