registry  /  giga-semantic-cli  /  1.0.3

giga-semantic-cli@1.0.3

Git-Grounded Autonomous AI Self-Healing Coding Agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time malicious behavior is confirmed, but the optional dashboard server exposes unauthenticated arbitrary command execution. The CLI is a user-invoked AI coding agent with broad filesystem, git, shell, and network capabilities.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs npm script dashboard or otherwise starts dist/server.js; CLI capabilities trigger via giga commands.
Impact
Command execution in the user's project environment; possible credential exposure or code changes if dashboard is reachable or misused.
Mechanism
unauthenticated local HTTP command execution and explicit AI-agent filesystem/git mutation
Rationale
Static inspection supports a warn-level verdict for a dangerous user-invoked capability and dashboard RCE vulnerability, not a malicious publish block. Scanner claims of remote asset decode/execute were not confirmed in source.
Evidence
package.jsondist/server.jsdist/cli.jsdist/agent.jsdist/tools/index.jsdist/binaries/cli.js~/.gigarc.env.local.gitignoreworkspace source filesgit branches/commits
Network endpoints4
api.openai.com/v1/chat/completionsapi.groq.com/openai/v1/chat/completionsapi.anthropic.com/v1/messagesgenerativelanguage.googleapis.com/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • dist/server.js exposes POST /api/run that execs arbitrary request body command.
  • dist/server.js uses npx tsx src/cli.ts for dashboard commands, but src is not shipped.
  • dist/tools/index.js can apply LLM-provided patches to arbitrary resolved paths and run npm test.
  • dist/tools/index.js writes credentials to ~/.gigarc and .env.local via explicit connectProvider.
  • Package ships large native binaries in dist/binaries, though bin points to JS wrapper.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • No eval/Function/vm/base64 decode or remote asset execution found in inspected JS.
  • Network calls are aligned with declared AI/GitHub agent workflow.
  • CLI raw shell execution uses an interactive confirmation prompt.
  • Secret reads are provider/GitHub tokens used for configured API calls, not broad harvesting.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 397 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, dotenvx.com, github.com
Oversized source lightweight scan
dist/binaries/cli.js2.08 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.anthropic.comapi.groq.comapi.openai.comdotenvx.comgithub.com

Source & flagged code

7 flagged · loading source
dist/tools/index.jsView file
5import * as os from 'os'; L6: import { exec, execSync } from 'child_process'; L7: import chalk from 'chalk'; ... L18: } L19: export async function executeCommandSecurely(command, cwd = process.cwd()) { L20: console.log(chalk.cyan(`\n[Security Check] Requested command to run:`)); ... L27: return new Promise((resolve) => { L28: exec(command, { cwd }, (error, stdout, stderr) => { L29: resolve({ ... L52: catch (err) { L53: const owner = process.env.GITHUB_OWNER || ''; L54: const repo = process.env.GITHUB_REPO || '';
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/tools/index.jsView on unpkg · L5
Trigger-reachable chain: manifest.main -> dist/cli.js -> dist/tools/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/tools/index.jsView on unpkg
5import * as os from 'os'; L6: import { exec, execSync } from 'child_process'; L7: import chalk from 'chalk';
High
Child Process

Package source references child process execution.

dist/tools/index.jsView on unpkg · L5
dist/server.jsView file
34const issueNum = command.substring(7).trim(); L35: exec(`npx tsx src/cli.ts start ${issueNum}`, (error, stdout, stderr) => { L36: res.json({ output: stdout + '\n' + stderr });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/server.jsView on unpkg · L34
dist/binaries/giga-macosView file
path = dist/binaries/giga-macos kind = native_binary sizeBytes = 72575267 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/binaries/giga-macosView on unpkg
dist/binaries/cli.jsView file
path = dist/binaries/cli.js kind = oversized_source_file sizeBytes = 2185471 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/binaries/cli.jsView on unpkg
path = dist/binaries/cli.js kind = oversized_cli_entrypoint sizeBytes = 2185471 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/binaries/cli.jsView on unpkg

Findings

2 Critical4 High5 Medium4 Low
CriticalRemote Asset Decode Executedist/tools/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/tools/index.js
HighChild Processdist/tools/index.js
HighShell
HighRuntime Package Installdist/server.js
HighOversized Source Filedist/binaries/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarydist/binaries/giga-macos
MediumOversized Cli Entrypointdist/binaries/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings