AI Security Review
scanned 8d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack was confirmed. The real risk is explicit user-command agent extension setup that writes MCP configs and agent instruction files across supported AI tools.
Decision evidence
public snapshot- dist/cli/setup-mcp.js writes MCP entries after explicit `wigolo setup mcp` selection.
- dist/cli/init.js runs warmup then writes selected agent configs and instructions.
- dist/cli/agents/*.js can modify ~/.claude, ~/.codex/config.toml, Cursor/Gemini/VS Code/Windsurf configs, and project AGENTS.md/GEMINI.md/copilot instructions.
- assets/blocks/* instruction blocks tell agents to prefer wigolo MCP tools over built-in web tools.
- dist/cli/warmup.js invokes Playwright browser installs and model/bootstrap setup on user command.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/index.js only dispatches CLI subcommands; setup/init/warmup are user-invoked.
- dist/extraction/site-extractors/amazon.js Unicode controls are stripped from scraped text and not hidden executable logic.
- dist/searxng/docker.js child_process usage is bounded Docker management for local SearXNG.
- dist/plugins/loader.js imports plugins only from configured local pluginsDir.
- No credential harvesting or exfiltration endpoint found in inspected files.
Source & flagged code
8 flagged · loading sourcePackage source references child process execution.
dist/searxng/docker.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/plugins/loader.jsView on unpkg · L84Package source references weak cryptographic algorithms.
dist/search/evidence.jsView on unpkg · L1Source reaches cloud instance metadata or link-local credential endpoints.
dist/watch/ssrf.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/extraction/site-extractors/amazon.jsView on unpkg · L249A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/extraction/site-extractors/amazon.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli/doctor.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/cli/doctor.jsView on unpkg · L62