registry  /  gforge  /  0.1.0

gforge@0.1.0

Secure global Git hooks installer that blocks commits containing secrets, across macOS, Linux, and Windows.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI for installing a global Git pre-commit secret-scanning hook, with no install-time execution or network exfiltration.

Static reason
One or more suspicious static signals were detected.
Trigger
User explicitly runs gforge install/update/uninstall/verify
Impact
Can change the user's global Git hooks path and block commits containing secret-looking staged content; no evidence of data theft or remote payload execution.
Mechanism
Git global core.hooksPath management and local staged-file grep scanning
Rationale
The risky primitives are package-aligned and require explicit CLI invocation, not npm lifecycle execution. Source inspection found local Git hook installation and secret-pattern scanning only, with no concrete malicious chain.
Evidence
package.jsonbin/gforge.jssrc/cli.jssrc/installer.jssrc/hooks.jssrc/git-config.jssrc/environment.jssrc/verify.jssrc/metadata.js$HOME/.gforge/hooks/pre-commit$HOME/.gforge/state.jsonglobal git config core.hooksPath

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Explicit CLI install/update mutates global Git core.hooksPath and writes hooks under $HOME/.gforge
  • Generated pre-commit hook runs git show and grep over staged blobs and blocks suspected secrets
Evidence against
  • package.json has no preinstall/install/postinstall hook; prepublishOnly only runs tests
  • bin/gforge.js only dispatches user-invoked CLI commands
  • No network, exfiltration, eval/vm/Function, dynamic remote loading, or credential harvesting found
  • Hook prints only matching file paths, not secret values, and remains package-aligned with manifest purpose
  • Uninstall restores or unsets only GForge-managed core.hooksPath and removes GForge-owned files
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 23.0 KB of source

Source & flagged code

2 flagged · loading source
README.mdView file
87patternName = aws_access_key severity = critical line = 87 matchedText = echo 'AW....txt
Critical
Critical Secret

Package contains a critical-looking secret pattern.

README.mdView on unpkg · L87
87patternName = aws_access_key severity = critical line = 87 matchedText = echo 'AW....txt
Critical
Secret Pattern

AWS access key ID in README.md

README.mdView on unpkg · L87

Findings

2 Critical1 Medium4 Low
CriticalCritical SecretREADME.md
CriticalSecret PatternREADME.md
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings