registry  /  dna-sdk  /  0.9.0

dna-sdk@0.9.0

DNA — Domain Notation of Anything (TypeScript SDK)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A host that explicitly enables script Hooks can execute JavaScript supplied in Hook document bodies. Network and process execution are exposed through explicit resolver APIs, not installation or import.

Static reason
No blocking static signals were detected.
Trigger
A host sets `DNA_ALLOW_HOOK_SCRIPT_EXEC=1` and calls `applyHooks()` on an untrusted Hook document.
Impact
Arbitrary code execution in the opted-in host process.
Mechanism
Opt-in compilation of data-backed Hook bodies with `new Function`.
Rationale
No concrete malicious behavior was found, but the guarded, data-backed script-Hook path is a real high-impact dangerous capability if enabled for untrusted documents. Downgrade to warn rather than block because it is disabled by default and requires explicit host opt-in.
Evidence
package.jsondist/index.jsdist/kernel/instance.jsdist/adapters/resolvers/http.jsdist/adapters/resolvers/github.jsdist/adapters/embedding/onnx.js

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/kernel/instance.js` compiles Hook `spec.body` with `new Function`.
  • Script Hook bodies originate from package-managed `HOOK.md` documents.
  • Execution is enabled only with `DNA_ALLOW_HOOK_SCRIPT_EXEC=1`.
  • `dist/adapters/resolvers/http.js` invokes `curl` only when `HttpResolver.resolve()` is called.
  • `dist/adapters/resolvers/github.js` invokes `git clone` only when `GitHubResolver.resolve()` is called.
Evidence against
  • `package.json` contains no preinstall, install, or postinstall hook.
  • `dist/index.js` is export-only; inspection found no import-time network or shell action.
  • Default Hook behavior skips script execution and emits a warning.
  • Dynamic ONNX import is an optional peer dependency used only by `embed()`.
  • No credential harvesting, exfiltration endpoint, destructive action, or agent-control-surface mutation was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 111 file(s), 914 KB of source, external domains: agents.md, github.com, raw.githubusercontent.com

Source & flagged code

2 flagged · loading source
dist/kernel/instance.jsView file
27* s-kernel-sandbox-hook-exec — whether a Hook's `action: "script"` may run L28: * arbitrary code from `spec.body` via `new Function(...)`. OFF by default: a L29: * Hook doc is reachable via the normal doc-write path, so executing its body is
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/kernel/instance.jsView on unpkg · L27
dist/adapters/embedding/onnx.jsView file
24// type declarations are NOT installed by default, so a literal L25: // `import("@huggingface/transformers")` would fail `tsc --noEmit` in CI L26: // with TS2307. A string variable makes the dynamic import resolve to
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/adapters/embedding/onnx.jsView on unpkg · L24

Findings

2 Medium5 Low
MediumDynamic Requiredist/adapters/embedding/onnx.js
MediumEnvironment Vars
LowScripts Present
LowEvaldist/kernel/instance.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings