registry  /  kimaki  /  0.22.0

kimaki@0.22.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A configured Kimaki Discord bot can execute arbitrary shell input in its mapped project directory. Command output is returned through the Discord channel, exposing results to that channel and Discord.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A Discord guild user invokes `/run-shell-command` or sends a `!`-prefixed message after the bot has been configured for that project.
Impact
Remote code execution in the configured project context and disclosure of command output to the Discord recipient/channel.
Mechanism
Discord-triggered shell execution via `child_process.exec` with output relayed to Discord.
Rationale
The package contains an explicit Discord-to-shell remote execution feature with command-output disclosure, so it warrants a warning. It lacks install-time execution, stealth persistence, credential theft, or a concrete malicious chain that would justify blocking.
Evidence
package.jsonbin.jssrc/bin.tssrc/commands/run-command.tssrc/discord-bot.tssrc/discord-command-registration.tssrc/exec-async.tssrc/opencode.tssrc/config.ts~/.kimaki/opencode-config.json
Network endpoints2
discord.comwss://discord-gateway.kimaki.dev

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/commands/run-command.ts` passes arbitrary Discord command text to `execAsync` in a configured project directory.
  • `src/exec-async.ts` wraps `child_process.exec`, enabling shell interpretation; stdout/stderr are returned to the caller.
  • `src/discord-bot.ts` also treats `!`-prefixed Discord messages as shell commands and posts results back to Discord.
  • `src/discord-command-registration.ts` registers `/run-shell-command` for guild use.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `bin.js` only imports `dist/bin.js`; execution begins when the user invokes the CLI.
  • `src/opencode.ts` writes its generated OpenCode config under the package-owned data directory (`~/.kimaki/opencode-config.json`), not a foreign agent configuration.
  • No source evidence found of credential harvesting, hidden payload loading, or unrelated exfiltration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 447 file(s), 4.78 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, auth.openai.com, bun.sh, claude.ai, critique.work, discord.com, example.com, fake-cdn.discord.test, generativelanguage.googleapis.com, github.com, json-schema.org, kimaki.dev, novnc.com, opencode.ai, platform.claude.com, registry.npmjs.org, www.apple.com

Source & flagged code

5 flagged · loading source
dist/tools.jsView file
5import { z } from 'zod'; L6: import { spawn } from 'node:child_process'; L7: import net from 'node:net';
High
Child Process

Package source references child process execution.

dist/tools.jsView on unpkg · L5
dist/opencode.jsView file
260// Resolve the full path to the opencode binary so we can spawn without L261: // shell: true. Using shell: true creates an intermediate sh process — when L262: // cleanup sends SIGTERM it only kills the shell, leaving the actual opencode
High
Shell

Package source references shell execution.

dist/opencode.jsView on unpkg · L260
dist/gateway-proxy-reconnect.e2e.test.jsView file
23import path from 'node:path'; L24: import net from 'node:net'; L25: import { spawn } from 'node:child_process'; L26: import { describe, test, expect, afterAll, afterEach } from 'vitest'; ... L33: // --- Config from env --- L34: const PROD_GATEWAY_URL = process.env['GATEWAY_TEST_URL'] || ''; L35: const PROD_TOKEN = process.env['GATEWAY_TEST_TOKEN'] || '';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/gateway-proxy-reconnect.e2e.test.jsView on unpkg · L23
dist/cli-runner.jsView file
15import os from 'node:os'; L16: import { spawn } from 'node:child_process'; L17: import { createLogger, LogPrefix } from './logger.js'; ... L35: // These are hardcoded because they're deploy-time constants for the gateway infrastructure. L36: export const KIMAKI_GATEWAY_PROXY_URL = process.env.KIMAKI_GATEWAY_PROXY_URL || L37: 'wss://discord-gateway.kimaki.dev'; ... L40: }); L41: export function getOpenUrlCommand(url, platform = process.platform) { L42: if (platform === 'darwin') { ... L63: // iTerm2 and other terminals wrap pasted content with \x1b[200~ and \x1b[201~ L64: // which can cause validation to fail on macOS. See: https://github.com/remorses/kimaki/issues/18 L65: export function stripBracketedPaste(value) {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli-runner.jsView on unpkg · L15
15Trigger-reachable chain: manifest.bin -> bin.js -> dist/bin.js -> dist/cli.js -> dist/cli-runner.js L15: import os from 'node:os'; L16: import { spawn } from 'node:child_process'; L17: import { createLogger, LogPrefix } from './logger.js'; ... L35: // These are hardcoded because they're deploy-time constants for the gateway infrastructure. L36: export const KIMAKI_GATEWAY_PROXY_URL = process.env.KIMAKI_GATEWAY_PROXY_URL || L37: 'wss://discord-gateway.kimaki.dev'; ... L40: }); L41: export function getOpenUrlCommand(url, platform = process.platform) { L42: if (platform === 'darwin') { ... L63: // iTerm2 and other terminals wrap pasted content with \x1b[200~ and \x1b[201~ L64: // which can cause validation to fail on macOS. See: https://github.com/remorses/kimaki/issues/18 L65: export function stripBracketedPaste(value) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli-runner.jsView on unpkg · L15

Findings

2 Critical3 High4 Medium5 Low
CriticalCommand Output Exfiltrationdist/cli-runner.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli-runner.js
HighChild Processdist/tools.js
HighShelldist/opencode.js
HighSame File Env Network Executiondist/gateway-proxy-reconnect.e2e.test.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License