registry  /  iuri-cli  /  0.1.5

iuri-cli@0.1.5

Agente/CLI estilo Claude Code que dirige ChatGPT/Gemini/Grok/DeepSeek pelo navegador (sem API paga), com TUI, modo plano, imagens e modelo auxiliar local.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `iuri` and approves an agent-proposed `run`, write, delete, or similar action.
Impact
Approved commands can modify the host, install software, or access user-selected project data.
Mechanism
Interactive AI-agent shell and filesystem tooling.
Rationale
The malicious scanner verdict is not supported by the inspected source: the lifecycle hook is publish-only and the Unicode finding is BOM handling. Because this package intentionally exposes broadly capable AI-agent host tooling, it warrants a warning rather than a publish block.
Evidence
package.jsonbin/iuri.tssrc/agent.tssrc/usercommands.tssrc/db.tsdist/bin/iuri.jsdist/src/agent.js

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/bin/iuri.js` exposes an AI-agent CLI that starts a local daemon.
  • `dist/src/agent.js` can execute arbitrary shell commands through its `run` tool after confirmation.
  • `src/usercommands.ts` supports user-authored `!`-backtick shell substitutions.
  • `src/db.ts` can install a missing database driver during an invoked database operation.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
  • Shell, file-write, delete, and mutating Git operations are gated by interactive confirmation in `src/agent.ts` and `bin/iuri.ts`.
  • No source evidence of credential harvesting, covert exfiltration, remote payload loading, or hidden persistence.
  • The reported invisible character in `src/usercommands.ts` is an intentional BOM matcher/remover, not concealed executable logic.
  • Network code targets the configured AI/browser/local-provider workflow rather than a covert endpoint.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 129 file(s), 1.30 MB of source, external domains: 192.168.228.10, api.groq.com, chat.deepseek.com, chatgpt.com, duckduckgo.com, economia.awesomeapi.com.br, gemini.google.com, grok.com, text.pollinations.ai, wttr.in

Source & flagged code

4 flagged · loading source
dist/src/usercommands.jsView file
26contains invisible/control Unicode U+FEFF (zero width no-break space) const m = s.match(/^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/src/usercommands.jsView on unpkg · L26
Trigger-reachable chain: manifest.bin -> dist/bin/iuri.js -> dist/src/usercommands.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/usercommands.jsView on unpkg
src/edge_tts_server.pyView file
path = src/edge_tts_server.py kind = build_helper sizeBytes = 1255 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/edge_tts_server.pyView on unpkg
dist/src/agent.jsView file
matchType = previous_version_dangerous_delta matchedPackage = iuri-cli@0.1.4 matchedIdentity = npm:aXVyaS1jbGk:0.1.4 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/agent.jsView on unpkg

Findings

3 Critical5 Medium5 Low
CriticalTrojan Source Unicodedist/src/usercommands.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/usercommands.js
CriticalPrevious Version Dangerous Deltadist/src/agent.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersrc/edge_tts_server.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings