registry  /  wigolo  /  0.1.42-beta.0

wigolo@0.1.42-beta.0

Local-first web intelligence MCP server for AI coding agents

AI Security Review

scanned 17h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `wigolo setup mcp` and selects agents, or starts the server with configured plugins.
Impact
Selected AI agents can be configured to invoke this package; configured local plugins run in the package process.
Mechanism
Explicit MCP configuration writes and dynamic loading of local plugins.
Rationale
Source inspection does not support the scanner's malicious verdict. The explicit AI-agent configuration capability warrants a warning under the stated policy, but there is no concrete malicious chain.
Evidence
package.jsondist/index.jsdist/cli/setup-mcp.jsdist/cli/tui/config-writer.jsdist/plugins/loader.jsdist/watch/ssrf.jsdist/extraction/site-extractors/amazon.jsdist/searxng/docker.js
Network endpoints1
127.0.0.1:${this.port}/healthz

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • `dist/cli/setup-mcp.js` explicitly invokes AI-tool configuration after agent selection.
  • `dist/cli/tui/config-writer.js` writes MCP entries for Codex, Claude, Cursor, VS Code, Gemini, Zed, and Windsurf.
  • `dist/plugins/loader.js` dynamically imports user-installed plugins from its configured plugin directory.
  • `dist/searxng/docker.js` starts/stops a named Docker SearXNG container on explicit runtime use.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `dist/index.js` dispatches setup, Docker, doctor, and uninstall behavior only from explicit CLI commands.
  • `dist/watch/ssrf.js` rejects localhost, cloud-metadata aliases, private IPv4, and private IPv6 targets.
  • `dist/extraction/site-extractors/amazon.js` uses invisible-character removal in parsed text; no hidden execution or exfiltration was found.
  • No credential harvesting, telemetry/exfiltration endpoint, remote payload execution, or destructive install-time behavior was identified.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 370 file(s), 1.34 MB of source, external domains: 127.0.0.1, api.github.com, api.search.brave.com, api.semanticscholar.org, api.stackexchange.com, api2.marginalia-search.com, devdocs.io, developer.mozilla.org, duckduckgo.com, example.com, export.arxiv.org, github.com, hn.algolia.com, lite.duckduckgo.com, lobste.rs, news.ycombinator.com, python.org, twitter.com, www.bing.com, www.example.com, www.google.com, www.mojeek.com

Source & flagged code

7 flagged · loading source
dist/searxng/docker.jsView file
1import { execSync } from "node:child_process"; L2: import { getConfig } from "../config.js";
High
Child Process

Package source references child process execution.

dist/searxng/docker.jsView on unpkg · L1
dist/plugins/loader.jsView file
84const fileUrl = pathToFileURL(entryPath).href; L85: mod = await import(fileUrl); L86: } catch (err) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/loader.jsView on unpkg · L84
dist/search/evidence.jsView file
1import { createHash } from "node:crypto"; L2: import { extractHighlights } from "./highlights.js";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/search/evidence.jsView on unpkg · L1
dist/watch/ssrf.jsView file
1const ALLOWED_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]); L2: const PRIVATE_HOSTNAMES = /* @__PURE__ */ new Set([ L3: "localhost", ... L69: reason: `${fieldLabel} is not a valid URL`, L70: hint: 'Pass a fully qualified http(s) URL (e.g. "https://example.com/path").' L71: };
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/watch/ssrf.jsView on unpkg · L1
dist/extraction/site-extractors/amazon.jsView file
249contains invisible/control Unicode U+200D (zero width joiner) const cleaned = raw.replace(/[<U+200D><U+200E><U+200F><U+200B>]/g, "").trim();
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/extraction/site-extractors/amazon.jsView on unpkg · L249
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/cli/mcp.js -> dist/server.js -> dist/extraction/pipeline.js -> dist/extraction/v1/site-extractors.js -> dist/extraction/site-extractors/amazon.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/extraction/site-extractors/amazon.jsView on unpkg
dist/cli/doctor.jsView file
62try { L63: const r = spawnSync("npx", ["playwright", "--version"], { encoding: "utf-8", timeout: 5e3 }); L64: if (r.status === 0) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/doctor.jsView on unpkg · L62

Findings

2 Critical4 High4 Medium6 Low
CriticalTrojan Source Unicodedist/extraction/site-extractors/amazon.js
CriticalTrigger Reachable Dangerous Capabilitydist/extraction/site-extractors/amazon.js
HighChild Processdist/searxng/docker.js
HighShell
HighCloud Metadata Accessdist/watch/ssrf.js
HighRuntime Package Installdist/cli/doctor.js
MediumDynamic Requiredist/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/search/evidence.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License