registry  /  waforge  /  2.9.1

waforge@2.9.1

<p align="center"> <img src="docs/screenshots/dashboard.png" alt="WaForge Dashboard" width="800" /> </p>

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The runtime LLM endpoint can start arbitrary configured MCP executables and invoke their exposed tools. This is a dangerous server-side capability, but it is not triggered during installation.

Static reason
One or more suspicious static signals were detected.
Trigger
An authenticated team user saves an MCP command, then calls `/api/llm/generate`.
Impact
A configured MCP executable can access server environment values and workspace files, perform arbitrary process actions, or exfiltrate data.
Mechanism
User-configured MCP subprocess execution with inherited environment and workspace root exposure.
Rationale
The package contains a real, high-impact arbitrary MCP command execution path, but it is a runtime feature initiated through authenticated settings rather than concrete malicious install behavior. Treat it as a dangerous capability requiring a warning, not a publish block.
Evidence
server/api/llm/generate.post.tsserver/api/settings/llm.put.tsserver/middleware/auth.tspackage.jsontest-register.js
Network endpoints6
api.openai.com/v1openrouter.ai/api/v1api.deepseek.comapi.mistral.ai/v1api.groq.com/openai/v1api.cohere.com/v1

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `server/api/llm/generate.post.ts` launches each saved MCP command through `StdioClientTransport`.
  • The launched MCP process inherits `process.env` and is given the package working directory as an MCP root.
  • Authenticated users can persist arbitrary `mcpServers` strings via `server/api/settings/llm.put.ts`.
  • LLM tool calls are forwarded to every discovered MCP tool without a package-side allowlist.
Evidence against
  • `package.json` postinstall only runs `nuxt prepare && prisma generate`; no foreign agent configuration mutation is shown.
  • No install-time network call, credential harvesting, payload download, or destructive command was found.
  • `test-register.js` only targets localhost with test credentials.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 109 file(s), 209 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cohere.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, graph.facebook.com, huggingface.co, openrouter.ai

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare && prisma generate
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare && prisma generate
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
test-register.jsView file
4patternName = generic_password severity = medium line = 4 matchedText = body: JS...' })
Medium
Secret Pattern

Package contains a possible secret pattern.

test-register.jsView on unpkg · L4

Findings

1 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterntest-register.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License