registry  /  giga-semantic-cli  /  1.0.8

giga-semantic-cli@1.0.8

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The explicit dashboard server exposes unauthenticated arbitrary shell execution through local HTTP endpoint `/api/run`; if made reachable to untrusted clients, it is RCE. The interactive CLI is also an AI-driven repository mutation and GitHub publishing tool, activated by user commands and confirmations. No install-time attack behavior is present.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User explicitly starts the dashboard or runs interactive `/heal` and `/ship` commands.
Impact
An untrusted dashboard client can execute commands as the dashboard user; accepted LLM output can modify the current repository and be force-pushed after user workflow.
Mechanism
Local command execution and LLM-driven workspace/Git mutation.
Rationale
The scanner's remote-decode/runtime-install claim is unsupported by the inspected sources. The package is a high-risk coding agent with a reachable dashboard command-execution flaw and opaque binaries, so it warrants a warning rather than a malicious block.
Evidence
package.jsondist/server.jsdist/agent.jsdist/cli.jsdist/tools/index.jsdist/binaries/.env.gitignore.gigarc
Network endpoints4
api.openai.com/v1/chat/completionsapi.deepseek.com/chat/completionslocalhost:11434/v1/chat/completionsapi.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/server.js` POST `/api/run` passes arbitrary request `command` to `child_process.exec`.
  • `dist/agent.js` sends workspace source and issue text to configured LLM endpoints, then writes LLM-generated edits into workspace files.
  • `dist/cli.js` user commands can stage, force-push, create a PR, and close a GitHub issue.
  • Opaque native executables are shipped in `dist/binaries/`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `dist/tools/index.js` command helper visibly prompts the user before executing requested commands.
  • `dist/cli.js` writes API keys and GitHub token only after interactive `/connect` input, to the current project's `.env`.
  • No decoded payload, `eval`, `Function`, runtime package install, or remote-code loader was found in inspected JavaScript.
  • `dist/binaries/cli.js`, `agent.js`, and `tools/index.js` are byte-identical copies of the inspected `dist` sources.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 184 KB of source, external domains: api.anthropic.com, api.deepseek.com, api.openai.com

Source & flagged code

5 flagged · loading source
dist/tools/index.jsView file
5import * as os from 'os'; L6: import { exec, execSync } from 'child_process'; L7: import chalk from 'chalk'; ... L18: } L19: export async function executeCommandSecurely(command, cwd = process.cwd()) { L20: console.log(chalk.cyan(`\n[Security Check] Requested command to run:`)); ... L27: return new Promise((resolve) => { L28: exec(command, { cwd }, (error, stdout, stderr) => { L29: resolve({ ... L52: catch (err) { L53: const owner = process.env.GITHUB_OWNER || ''; L54: const repo = process.env.GITHUB_REPO || '';
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/tools/index.jsView on unpkg · L5
Trigger-reachable chain: manifest.main -> dist/cli.js -> dist/tools/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/tools/index.jsView on unpkg
5import * as os from 'os'; L6: import { exec, execSync } from 'child_process'; L7: import chalk from 'chalk';
High
Child Process

Package source references child process execution.

dist/tools/index.jsView on unpkg · L5
330else if (fs.existsSync(path.join(cwd, 'tsconfig.json'))) { L331: command = 'npx tsc --noEmit'; L332: } ... L339: return new Promise((resolve) => { L340: exec(command, { cwd }, (error, stdout, stderr) => { L341: resolve({
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/tools/index.jsView on unpkg · L330
dist/binaries/giga-macosView file
path = dist/binaries/giga-macos kind = native_binary sizeBytes = 72575267 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/binaries/giga-macosView on unpkg

Findings

2 Critical3 High4 Medium4 Low
CriticalRemote Asset Decode Executedist/tools/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/tools/index.js
HighChild Processdist/tools/index.js
HighShell
HighRuntime Package Installdist/tools/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarydist/binaries/giga-macos
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings