registry  /  gibil  /  0.6.0

gibil@0.6.0

Your own machine, on demand. Forge, use, burn.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs gibil init, gibil mcp, or VM management commands
Impact
AI agent can operate user-created cloud VMs after configuration; command telemetry is sent unless disabled
Mechanism
explicit MCP config mutation and remote VM command tooling
Rationale
Static inspection supports a warning for explicit AI-agent/MCP capability setup, not a malicious block. Scanner exfiltration hints appear to conflate package-aligned telemetry/cloud API calls with credential theft.
Evidence
package.jsondist/cli/index.jsdist/utils/telemetry-send.jsREADME.md~/.claude.json~/.gibil/config.json~/.gibil/device_id~/.gibil/instances~/.gibil/keys~/.gibil/jobs
Network endpoints5
zopdxjruwktjyjunitrv.supabase.co/functions/v1zopdxjruwktjyjunitrv.supabase.co/functions/v1/telemetry-ingestapi.hetzner.cloud/v1api.vultr.com/v21.1.1.1/cdn-cgi/trace

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js:init writes mcpServers.gibil into ~/.claude.json on explicit gibil init
  • dist/cli/index.js:mcp command exposes VM tools including vm_bash, vm_write, vm_read over user-created cloud servers
  • dist/cli/index.js:opt-out telemetry forks dist/utils/telemetry-send.js and posts command metadata/device hash to Supabase
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build
  • Network endpoints are package-aligned: Gibil Supabase, Hetzner, Vultr, GitHub, Cloudflare IP detection
  • Cloud tokens are requested during init/auth and stored under ~/.gibil/config.json for advertised cloud VM workflow
  • No evidence of broad env harvesting; telemetry payload is constructed fields, not process.env dump
  • Shell/child_process use is for documented ssh, ssh-keygen, git, and remote VM execution commands
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 110 KB of source, external domains: api.hetzner.cloud, api.vultr.com, cli.github.com, console.vultr.com, deb.nodesource.com, get.docker.com, gibil.dev, github.com, go.dev, raw.githubusercontent.com, www.vultr.com, zopdxjruwktjyjunitrv.supabase.co

Source & flagged code

6 flagged · loading source
dist/cli/index.jsView file
9${v(" g i b i l")} ${p(ht)} L10: `,Mr=`${L} ${v("gibil")} ${p(ht)}`,Nr=["\u280B","\u2819","\u2839","\u2838","\u283C","\u2834","\u2826","\u2827","\u2807","\u280F"],Xe=class{timer=null;frame=0;text;constructor(e){th... L11: `),this)}update(e){this.text=e,process.stderr.isTTY||process.stderr.write(` ${e} ... L13: `)}fail(e){this.stop(),process.stderr.write(`\r ${Qe} ${e??this.text} L14: `)}stop(){this.timer&&(clearInterval(this.timer),this.timer=null,process.stderr.isTTY&&process.stderr.write("\r\x1B[K"))}};R={welcome:`${L} Your first fire. Welcome to Gibil.`,noIn... L15: Your Hetzner token may be invalid or expired. Run: gibil init --force`:t===409&&e.includes("name")?` ... L22: Your Vultr API key may be invalid. Re-run: gibil init --provider vultr --token <new-key>`:t===429?` L23: Rate limited by Vultr. Wait a moment and retry.`:""}function dr(t){let e=t.status;t.status==="active"&&t.power_status==="running"?e="running":t.status==="pending"&&(e="initializing... L24: `}function no(t){return t.toString("base64")}function Ct(t){return Buffer.from(t,"base64")}function io(t,e){if(t.length!==e.length)return!1;let r=Buffer.from(t,"utf8"),n=Buffer.fro... ... L28: `)}function Nt(t)
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli/index.jsView on unpkg · L9
9Trigger-reachable chain: manifest.bin -> dist/cli/index.js L9: ${v(" g i b i l")} ${p(ht)} L10: `,Mr=`${L} ${v("gibil")} ${p(ht)}`,Nr=["\u280B","\u2819","\u2839","\u2838","\u283C","\u2834","\u2826","\u2827","\u2807","\u280F"],Xe=class{timer=null;frame=0;text;constructor(e){th... L11: `),this)}update(e){this.text=e,process.stderr.isTTY||process.stderr.write(` ${e} ... L13: `)}fail(e){this.stop(),process.stderr.write(`\r ${Qe} ${e??this.text} L14: `)}stop(){this.timer&&(clearInterval(this.timer),this.timer=null,process.stderr.isTTY&&process.stderr.write("\r\x1B[K"))}};R={welcome:`${L} Your first fire. Welcome to Gibil.`,noIn... L15: Your Hetzner token may be invalid or expired. Run: gibil init --force`:t===409&&e.includes("name")?` ... L22: Your Vultr API key may be invalid. Re-run: gibil init --provider vultr --token <new-key>`:t===429?` L23: Rate limited by Vultr. Wait a moment and retry.`:""}function dr(t){let e=t.status;t.status==="active"&&t.power_status==="running"?e="running":t.status==="pending"&&(e="initializing... L24: `}function no(t){return t.toString("base64")}function Ct(t){return Buffer.from(t,"base64")}function io(t,e){if(t.length!==e.length)return!1;let r=Buff…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L9
22Your Vultr API key may be invalid. Re-run: gibil init --provider vultr --token <new-key>`:t===429?` L23: Rate limited by Vultr. Wait a moment and retry.`:""}function dr(t){let e=t.status;t.status==="active"&&t.power_status==="running"?e="running":t.status==="pending"&&(e="initializing... L24: `}function no(t){return t.toString("base64")}function Ct(t){return Buffer.from(t,"base64")}function io(t,e){if(t.length!==e.length)return!1;let r=Buffer.from(t,"utf8"),n=Buffer.fro...
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L22
13`)}fail(e){this.stop(),process.stderr.write(`\r ${Qe} ${e??this.text} L14: `)}stop(){this.timer&&(clearInterval(this.timer),this.timer=null,process.stderr.isTTY&&process.stderr.write("\r\x1B[K"))}};R={welcome:`${L} Your first fire. Welcome to Gibil.`,noIn... L15: Your Hetzner token may be invalid or expired. Run: gibil init --force`:t===409&&e.includes("name")?` ... L22: Your Vultr API key may be invalid. Re-run: gibil init --provider vultr --token <new-key>`:t===429?` L23: Rate limited by Vultr. Wait a moment and retry.`:""}function dr(t){let e=t.status;t.status==="active"&&t.power_status==="running"?e="running":t.status==="pending"&&(e="initializing... L24: `}function no(t){return t.toString("base64")}function Ct(t){return Buffer.from(t,"base64")}function io(t,e){if(t.length!==e.length)return!1;let r=Buffer.from(t,"utf8"),n=Buffer.fro...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L13
9${v(" g i b i l")} ${p(ht)} L10: `,Mr=`${L} ${v("gibil")} ${p(ht)}`,Nr=["\u280B","\u2819","\u2839","\u2838","\u283C","\u2834","\u2826","\u2827","\u2807","\u280F"],Xe=class{timer=null;frame=0;text;constructor(e){th... L11: `),this)}update(e){this.text=e,process.stderr.isTTY||process.stderr.write(` ${e} ... L13: `)}fail(e){this.stop(),process.stderr.write(`\r ${Qe} ${e??this.text} L14: `)}stop(){this.timer&&(clearInterval(this.timer),this.timer=null,process.stderr.isTTY&&process.stderr.write("\r\x1B[K"))}};R={welcome:`${L} Your first fire. Welcome to Gibil.`,noIn... L15: Your Hetzner token may be invalid or expired. Run: gibil init --force`:t===409&&e.includes("name")?` ... L22: Your Vultr API key may be invalid. Re-run: gibil init --provider vultr --token <new-key>`:t===429?` L23: Rate limited by Vultr. Wait a moment and retry.`:""}function dr(t){let e=t.status;t.status==="active"&&t.power_status==="running"?e="running":t.status==="pending"&&(e="initializing... L24: `}function no(t){return t.toString("base64")}function Ct(t){return Buffer.from(t,"base64")}function io(t,e){if(t.length!==e.length)return!1;let r=Buffer.from(t,"utf8"),n=Buffer.fro...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L9
9${v(" g i b i l")} ${p(ht)} L10: `,Mr=`${L} ${v("gibil")} ${p(ht)}`,Nr=["\u280B","\u2819","\u2839","\u2838","\u283C","\u2834","\u2826","\u2827","\u2807","\u280F"],Xe=class{timer=null;frame=0;text;constructor(e){th... L11: `),this)}update(e){this.text=e,process.stderr.isTTY||process.stderr.write(` ${e} ... L13: `)}fail(e){this.stop(),process.stderr.write(`\r ${Qe} ${e??this.text} L14: `)}stop(){this.timer&&(clearInterval(this.timer),this.timer=null,process.stderr.isTTY&&process.stderr.write("\r\x1B[K"))}};R={welcome:`${L} Your first fire. Welcome to Gibil.`,noIn... L15: Your Hetzner token may be invalid or expired. Run: gibil init --force`:t===409&&e.includes("name")?` ... L22: Your Vultr API key may be invalid. Re-run: gibil init --provider vultr --token <new-key>`:t===429?` L23: Rate limited by Vultr. Wait a moment and retry.`:""}function dr(t){let e=t.status;t.status==="active"&&t.power_status==="running"?e="running":t.status==="pending"&&(e="initializing... L24: `}function no(t){return t.toString("base64")}function Ct(t){return Buffer.from(t,"base64")}function io(t,e){if(t.length!==e.length)return!1;let r=Buffer.from(t,"utf8"),n=Buffer.fro... ... L28: `)}function Nt(t)
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L9

Findings

2 Critical3 High4 Medium5 Low
CriticalCredential Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighCommand Output Exfiltrationdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings