AI Security Review
scanned 7d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious behavior or install-time hijack was found. The real risk is explicit user-command setup that modifies AI-agent configuration and instructions to register wigolo as an MCP server and prefer its web tools.
Decision evidence
public snapshot- Explicit `wigolo setup mcp`/`wigolo init` can write MCP entries for multiple AI tools in `dist/cli/tui/config-writer.js`.
- Agent handlers install instruction blocks/skills/commands into AI-agent surfaces, including Codex `AGENTS.md`, Claude skills, Cursor rules, and VS Code instructions.
- Installed blocks instruct agents to prefer wigolo for web operations, e.g. `assets/blocks/codex/AGENTS.md.block` and `assets/blocks/claude-code/CLAUDE.md.block`.
- `package.json` has no preinstall/install/postinstall lifecycle scripts.
- Entrypoint `dist/index.js` only dispatches CLI commands; setup/init are user-invoked, not install-time or import-time mutation.
- MCP config entries point back to `npx -y wigolo`, a package-aligned local MCP server, not a foreign payload.
- Network and shell use appears package-aligned: web search/fetch, local SearXNG/Docker/bootstrap, doctor probes, and LLM providers.
- SSRF guard in `dist/watch/ssrf.js` blocks localhost, private IP ranges, and metadata hostnames for watched URLs.
- Dynamic plugin loading in `dist/plugins/loader.js` is from configured local plugin directories, not remote code download.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/searxng/docker.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/plugins/loader.jsView on unpkg · L84Package source references weak cryptographic algorithms.
dist/search/evidence.jsView on unpkg · L1Source reaches cloud instance metadata or link-local credential endpoints.
dist/watch/ssrf.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/extraction/site-extractors/amazon.jsView on unpkg · L249A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/extraction/site-extractors/amazon.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/cli/doctor.jsView on unpkg · L62