registry  /  waforge  /  2.15.7

waforge@2.15.7

<p align="center"> <img src="docs/screenshots/dashboard.png" alt="WaForge Dashboard" width="800" /> </p>

AI Security Review

scanned 1h ago · by lpm-firewall-ai

An authenticated registrant can persist an arbitrary MCP command and trigger its execution through the LLM route. The same route reads Cockpit credential files and can send the resulting token to direct external LLM endpoints.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Register or authenticate, save `mcpServers` through `/api/settings/llm`, then call `/api/llm/generate`.
Impact
Server-process code execution and potential exfiltration of foreign AI-agent credentials.
Mechanism
user-controlled MCP process launch plus Cockpit-token forwarding
Rationale
This is not install-time malware, but direct source inspection confirms an authenticated remote-code-execution path and foreign AI-agent credential exposure path. Flag as a critical vulnerability rather than malicious package intent.
Evidence
package.jsonserver/api/auth/register.post.tsserver/api/settings/llm.put.tsserver/api/llm/generate.post.tsbin/cockpit-tools-mcp.mjslib/whatsapp-engine.tsserver/utils/job-queue.ts
Network endpoints4
api.openai.com/v1openrouter.ai/api/v1generativelanguage.googleapis.com/v1beta/openai127.0.0.1:19528

Decision evidence

public snapshot
AI called this Suspicious at 99.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `server/api/settings/llm.put.ts` stores arbitrary `mcpServers` command strings per team.
  • `server/api/llm/generate.post.ts` splits each stored string and launches it with `StdioClientTransport`.
  • `server/api/auth/register.post.ts` permits registration and creates an OWNER/team without an invite.
  • `server/api/llm/generate.post.ts` reads `~/.antigravity_cockpit` secrets/tokens.
  • That route forwards the loaded token as Bearer auth to direct LLM-provider fallbacks.
  • `package.json` postinstall only runs Nuxt/Prisma generation; no package payload launcher found.
Evidence against
  • No `preinstall` or arbitrary shell command appears in lifecycle scripts.
  • No hidden binary/native loader, eval, or encoded second-stage payload was found.
  • WhatsApp and Crikket network clients are application-aligned runtime integrations.
  • The password-reset utility is an explicit user-invoked database admin command.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 122 file(s), 297 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cohere.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, graph.facebook.com, host.docker.internal, huggingface.co, openrouter.ai

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare && prisma generate
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare && prisma generate
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/reset-admin-password.tsView file
77patternName = generic_password severity = medium line = 77 matchedText = console....age)
Medium
Secret Pattern

Package contains a possible secret pattern.

bin/reset-admin-password.tsView on unpkg · L77
server/utils/job-queue.tsView file
matchType = previous_version_dangerous_delta matchedPackage = waforge@2.15.3 matchedIdentity = npm:d2Fmb3JnZQ:2.15.3 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/utils/job-queue.tsView on unpkg
test-register.jsView file
4patternName = generic_password severity = medium line = 4 matchedText = body: JS...' })
Medium
Secret Pattern

Hardcoded password in test-register.js

test-register.jsView on unpkg · L4

Findings

2 High6 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltaserver/utils/job-queue.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternbin/reset-admin-password.ts
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
MediumSecret Patterntest-register.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License