AI Security Review
scanned 2h ago · by lpm-firewall-aiA configured Kimaki Discord bot can execute arbitrary shell input in its mapped project directory. Command output is returned through the Discord channel, exposing results to that channel and Discord.
Decision evidence
public snapshot- `src/commands/run-command.ts` passes arbitrary Discord command text to `execAsync` in a configured project directory.
- `src/exec-async.ts` wraps `child_process.exec`, enabling shell interpretation; stdout/stderr are returned to the caller.
- `src/discord-bot.ts` also treats `!`-prefixed Discord messages as shell commands and posts results back to Discord.
- `src/discord-command-registration.ts` registers `/run-shell-command` for guild use.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `bin.js` only imports `dist/bin.js`; execution begins when the user invokes the CLI.
- `src/opencode.ts` writes its generated OpenCode config under the package-owned data directory (`~/.kimaki/opencode-config.json`), not a foreign agent configuration.
- No source evidence found of credential harvesting, hidden payload loading, or unrelated exfiltration.
Source & flagged code
5 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/gateway-proxy-reconnect.e2e.test.jsView on unpkg · L23Source executes local commands and sends command output to an external endpoint.
dist/cli-runner.jsView on unpkg · L15A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli-runner.jsView on unpkg · L15