registry  /  wigolo  /  0.1.40-beta.0

wigolo@0.1.40-beta.0

Local-first web intelligence MCP server for AI coding agents

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are tied to explicit web-search/MCP setup, local SearXNG bootstrap, user plugin loading, or configured LLM/search providers.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs wigolo CLI commands such as init, warmup, setup mcp, serve, fetch, search, or mcp.
Impact
Expected network fetch/search, cache writes, local agent config updates, and optional key storage; no credential harvesting or covert exfiltration found.
Mechanism
User-invoked local web intelligence MCP server with optional local services and provider API calls.
Rationale
Static inspection found a web intelligence/MCP tool with broad but package-aligned network, subprocess, config, and plugin behavior activated by explicit commands. There is no install-time execution, covert credential collection, destructive persistence, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/searxng/docker.jsdist/searxng/bootstrap.jsdist/plugins/loader.jsdist/watch/ssrf.jsdist/cli/agents/codex.jsassets/blocks/codex/AGENTS.md.block~/.wigolo~/.codex/config.tomlAGENTS.md
Network endpoints7
github.com/searxng/searxng/archive/refs/heads/master.tar.gz127.0.0.1:<searxngPort>/healthzwww.example.comapi.search.brave.com/res/v1/web/searchapi.github.com/search/codeduckduckgo.com/lite.duckduckgo.com/lite/

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; main/bin dist/index.js only dispatches explicit CLI commands.
    • dist/searxng/docker.js uses docker execSync only for user-invoked local SearXNG startup on 127.0.0.1.
    • dist/searxng/bootstrap.js downloads SearXNG and runs pip/tar during warmup/init, package-aligned local search setup.
    • dist/watch/ssrf.js blocks localhost, private IPv4/IPv6, and metadata.google.internal for guarded URLs.
    • dist/plugins/loader.js imports only plugins from configured user pluginsDir, not remote code.
    • assets/blocks/codex/AGENTS.md.block is installed only by setup/init agent configuration and promotes package MCP tools; no covert install-time mutation.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 365 file(s), 1.27 MB of source, external domains: 127.0.0.1, api.github.com, api.search.brave.com, api.semanticscholar.org, api.stackexchange.com, api2.marginalia-search.com, devdocs.io, developer.mozilla.org, duckduckgo.com, example.com, export.arxiv.org, github.com, hn.algolia.com, lite.duckduckgo.com, lobste.rs, news.ycombinator.com, python.org, twitter.com, www.bing.com, www.example.com, www.google.com, www.mojeek.com

    Source & flagged code

    7 flagged · loading source
    dist/searxng/docker.jsView file
    1import { execSync } from "node:child_process"; L2: import { getConfig } from "../config.js";
    High
    Child Process

    Package source references child process execution.

    dist/searxng/docker.jsView on unpkg · L1
    dist/plugins/loader.jsView file
    84const fileUrl = pathToFileURL(entryPath).href; L85: mod = await import(fileUrl); L86: } catch (err) {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/plugins/loader.jsView on unpkg · L84
    dist/search/evidence.jsView file
    1import { createHash } from "node:crypto"; L2: import { extractHighlights } from "./highlights.js";
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/search/evidence.jsView on unpkg · L1
    dist/watch/ssrf.jsView file
    1const ALLOWED_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]); L2: const PRIVATE_HOSTNAMES = /* @__PURE__ */ new Set([ L3: "localhost", ... L69: reason: `${fieldLabel} is not a valid URL`, L70: hint: 'Pass a fully qualified http(s) URL (e.g. "https://example.com/path").' L71: };
    High
    Cloud Metadata Access

    Source reaches cloud instance metadata or link-local credential endpoints.

    dist/watch/ssrf.jsView on unpkg · L1
    dist/extraction/site-extractors/amazon.jsView file
    249contains invisible/control Unicode U+200D (zero width joiner) const cleaned = raw.replace(/[<U+200D><U+200E><U+200F><U+200B>]/g, "").trim();
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/extraction/site-extractors/amazon.jsView on unpkg · L249
    Trigger-reachable chain: manifest.main -> dist/index.js -> dist/cli/mcp.js -> dist/server.js -> dist/extraction/pipeline.js -> dist/extraction/v1/site-extractors.js -> dist/extraction/site-extractors/amazon.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/extraction/site-extractors/amazon.jsView on unpkg
    dist/cli/doctor.jsView file
    61try { L62: const r = spawnSync("npx", ["playwright", "--version"], { encoding: "utf-8", timeout: 5e3 }); L63: if (r.status === 0) {
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/cli/doctor.jsView on unpkg · L61

    Findings

    2 Critical4 High4 Medium6 Low
    CriticalTrojan Source Unicodedist/extraction/site-extractors/amazon.js
    CriticalTrigger Reachable Dangerous Capabilitydist/extraction/site-extractors/amazon.js
    HighChild Processdist/searxng/docker.js
    HighShell
    HighCloud Metadata Accessdist/watch/ssrf.js
    HighRuntime Package Installdist/cli/doctor.js
    MediumDynamic Requiredist/plugins/loader.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/search/evidence.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License