registry  /  wigolo  /  0.1.40-beta.1

wigolo@0.1.40-beta.1

Local-first web intelligence MCP server for AI coding agents

AI Security Review

scanned 8d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack was confirmed. The real risk is explicit user-command agent extension setup that writes MCP configs and agent instruction files across supported AI tools.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `wigolo init` or `wigolo setup mcp` and selects agents.
Impact
Agents may route web operations through wigolo and trust package-owned instructions; no source evidence of exfiltration or stealth persistence.
Mechanism
first-party MCP/agent configuration and instruction installation
Rationale
Static inspection found agent control-surface mutation, but it is explicit first-party setup rather than unconsented install-time hijacking, and no exfiltration/destructive chain was identified. This fits a warning for agent extension lifecycle risk, not a publish block.
Evidence
package.jsondist/index.jsdist/cli/init.jsdist/cli/setup-mcp.jsdist/cli/agents/utils.jsdist/cli/agents/claude-code.jsdist/cli/agents/codex.jsdist/cli/agents/cursor.jsdist/cli/agents/gemini-cli.jsdist/cli/agents/vscode.jsdist/cli/warmup.jsdist/searxng/docker.js~/.claude/CLAUDE.md~/.claude/skills/wigolo*~/.claude/commands/wigolo.md~/.claude.json~/.codex/config.tomlAGENTS.md~/.cursor/mcp.json~/.cursor/rules/wigolo.mdc~/.gemini/settings.jsonGEMINI.md.github/copilot-instructions.md~/.codeium/windsurf/mcp_config.json
Network endpoints1
127.0.0.1:<searxngPort>/healthz

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/setup-mcp.js writes MCP entries after explicit `wigolo setup mcp` selection.
  • dist/cli/init.js runs warmup then writes selected agent configs and instructions.
  • dist/cli/agents/*.js can modify ~/.claude, ~/.codex/config.toml, Cursor/Gemini/VS Code/Windsurf configs, and project AGENTS.md/GEMINI.md/copilot instructions.
  • assets/blocks/* instruction blocks tell agents to prefer wigolo MCP tools over built-in web tools.
  • dist/cli/warmup.js invokes Playwright browser installs and model/bootstrap setup on user command.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/index.js only dispatches CLI subcommands; setup/init/warmup are user-invoked.
  • dist/extraction/site-extractors/amazon.js Unicode controls are stripped from scraped text and not hidden executable logic.
  • dist/searxng/docker.js child_process usage is bounded Docker management for local SearXNG.
  • dist/plugins/loader.js imports plugins only from configured local pluginsDir.
  • No credential harvesting or exfiltration endpoint found in inspected files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 370 file(s), 1.34 MB of source, external domains: 127.0.0.1, api.github.com, api.search.brave.com, api.semanticscholar.org, api.stackexchange.com, api2.marginalia-search.com, devdocs.io, developer.mozilla.org, duckduckgo.com, example.com, export.arxiv.org, github.com, hn.algolia.com, lite.duckduckgo.com, lobste.rs, news.ycombinator.com, python.org, twitter.com, www.bing.com, www.example.com, www.google.com, www.mojeek.com

Source & flagged code

8 flagged · loading source
dist/searxng/docker.jsView file
1import { execSync } from "node:child_process"; L2: import { getConfig } from "../config.js";
High
Child Process

Package source references child process execution.

dist/searxng/docker.jsView on unpkg · L1
dist/plugins/loader.jsView file
84const fileUrl = pathToFileURL(entryPath).href; L85: mod = await import(fileUrl); L86: } catch (err) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/loader.jsView on unpkg · L84
dist/search/evidence.jsView file
1import { createHash } from "node:crypto"; L2: import { extractHighlights } from "./highlights.js";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/search/evidence.jsView on unpkg · L1
dist/watch/ssrf.jsView file
1const ALLOWED_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]); L2: const PRIVATE_HOSTNAMES = /* @__PURE__ */ new Set([ L3: "localhost", ... L69: reason: `${fieldLabel} is not a valid URL`, L70: hint: 'Pass a fully qualified http(s) URL (e.g. "https://example.com/path").' L71: };
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/watch/ssrf.jsView on unpkg · L1
dist/extraction/site-extractors/amazon.jsView file
249contains invisible/control Unicode U+200D (zero width joiner) const cleaned = raw.replace(/[<U+200D><U+200E><U+200F><U+200B>]/g, "").trim();
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/extraction/site-extractors/amazon.jsView on unpkg · L249
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/cli/mcp.js -> dist/server.js -> dist/extraction/pipeline.js -> dist/extraction/v1/site-extractors.js -> dist/extraction/site-extractors/amazon.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/extraction/site-extractors/amazon.jsView on unpkg
dist/cli/doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = wigolo@0.1.40-beta.0 matchedIdentity = npm:d2lnb2xv:0.1.40-beta.0 similarity = 0.842 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/doctor.jsView on unpkg
62try { L63: const r = spawnSync("npx", ["playwright", "--version"], { encoding: "utf-8", timeout: 5e3 }); L64: if (r.status === 0) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/doctor.jsView on unpkg · L62

Findings

3 Critical4 High4 Medium6 Low
CriticalTrojan Source Unicodedist/extraction/site-extractors/amazon.js
CriticalTrigger Reachable Dangerous Capabilitydist/extraction/site-extractors/amazon.js
CriticalPrevious Version Dangerous Deltadist/cli/doctor.js
HighChild Processdist/searxng/docker.js
HighShell
HighCloud Metadata Accessdist/watch/ssrf.js
HighRuntime Package Installdist/cli/doctor.js
MediumDynamic Requiredist/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/search/evidence.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License