AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked CLI for installing a global Git pre-commit secret-scanning hook, with no install-time execution or network exfiltration.
Static reason
One or more suspicious static signals were detected.
Trigger
User explicitly runs gforge install/update/uninstall/verify
Impact
Can change the user's global Git hooks path and block commits containing secret-looking staged content; no evidence of data theft or remote payload execution.
Mechanism
Git global core.hooksPath management and local staged-file grep scanning
Rationale
The risky primitives are package-aligned and require explicit CLI invocation, not npm lifecycle execution. Source inspection found local Git hook installation and secret-pattern scanning only, with no concrete malicious chain.
Evidence
package.jsonbin/gforge.jssrc/cli.jssrc/installer.jssrc/hooks.jssrc/git-config.jssrc/environment.jssrc/verify.jssrc/metadata.js$HOME/.gforge/hooks/pre-commit$HOME/.gforge/state.jsonglobal git config core.hooksPath
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- Explicit CLI install/update mutates global Git core.hooksPath and writes hooks under $HOME/.gforge
- Generated pre-commit hook runs git show and grep over staged blobs and blocks suspected secrets
Evidence against
- package.json has no preinstall/install/postinstall hook; prepublishOnly only runs tests
- bin/gforge.js only dispatches user-invoked CLI commands
- No network, exfiltration, eval/vm/Function, dynamic remote loading, or credential harvesting found
- Hook prints only matching file paths, not secret values, and remains package-aligned with manifest purpose
- Uninstall restores or unsets only GForge-managed core.hooksPath and removes GForge-owned files
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourceREADME.mdView file
87patternName = aws_access_key
severity = critical
line = 87
matchedText = echo 'AW....txt
Critical
87patternName = aws_access_key
severity = critical
line = 87
matchedText = echo 'AW....txt
Critical
Findings
2 Critical1 Medium4 Low
CriticalCritical SecretREADME.md
CriticalSecret PatternREADME.md
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings