registry  /  iuri-cli  /  0.1.4

iuri-cli@0.1.4

Agente/CLI estilo Claude Code que dirige ChatGPT/Gemini/Grok/DeepSeek pelo navegador (sem API paga), com TUI, modo plano, imagens e modelo auxiliar local.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `iuri`, approves a tool action, configures an allow rule, invokes a user command, or starts MCP serving with write access.
Impact
Approved or pre-allowed prompts can execute arbitrary local commands and modify/delete files; this is a dangerous dual-use capability.
Mechanism
Model-directed local tool execution with user-configurable permission gates.
Rationale
Source inspection does not support the scanner's malicious/Trojan Source finding or any covert persistence, theft, or install-time behavior. The package nevertheless exposes high-impact agent capabilities, so it warrants a warning rather than a block.
Evidence
package.jsonbin/iuri.tssrc/agent.tssrc/usercommands.tssrc/mcptools.tssrc/db.tsdist/src/usercommands.jssrc/mcpserver.tssrc/webfetch.tssrc/localapi.tssrc/daemon.ts

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/agent.ts` implements model-directed shell execution, file edits/deletes, database queries, MCP calls, and web fetch.
  • `src/agent.ts` permits actions after interactive confirmation or configured `allow` rules; command execution is not confined to the package directory.
  • `src/usercommands.ts` expands user-created `!` shell substitutions from `~/.iuri/commands` and project `.iuri/commands`.
  • `src/mcptools.ts` exposes write/exec/delete MCP tools only when the user starts it with write access.
  • `src/db.ts` can run `npm install <driver>` on demand for an explicitly requested database driver.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
  • `bin/iuri.ts` is the sole package entrypoint and activates behavior only when the user runs `iuri`.
  • `src/agent.ts` gates mutating tools with confirmation, permission rules, and extra warning for writes outside the project.
  • No bidi control characters were found in `src/usercommands.ts` or `dist/src/usercommands.js`; the scanner Trojan Source claim is unsupported.
  • No source path shows credential harvesting, hidden exfiltration, remote payload download/execution, or AI-agent configuration mutation.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 129 file(s), 1.30 MB of source, external domains: 192.168.228.10, api.groq.com, chat.deepseek.com, chatgpt.com, duckduckgo.com, economia.awesomeapi.com.br, gemini.google.com, grok.com, text.pollinations.ai, wttr.in

Source & flagged code

3 flagged · loading source
dist/src/usercommands.jsView file
26contains invisible/control Unicode U+FEFF (zero width no-break space) const m = s.match(/^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/src/usercommands.jsView on unpkg · L26
Trigger-reachable chain: manifest.bin -> dist/bin/iuri.js -> dist/src/usercommands.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/usercommands.jsView on unpkg
src/edge_tts_server.pyView file
path = src/edge_tts_server.py kind = build_helper sizeBytes = 1255 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/edge_tts_server.pyView on unpkg

Findings

2 Critical5 Medium5 Low
CriticalTrojan Source Unicodedist/src/usercommands.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/usercommands.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersrc/edge_tts_server.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings