Oathe Security Badge

Is Anil-matcha/Open-Generative-AI safe?

https://github.com/Anil-matcha/Open-Generative-AI

85
SAFE

Open Generative AI is a legitimate open-source Next.js/Electron application for AI image and video generation, with no SKILL.md and therefore no direct agent prompt injection surface. The primary security concern is a potential Server-Side Request Forgery (SSRF) in the server-side upload proxy, where user-controlled target URLs are fetched by the server without confirmed validation against internal address ranges. Secondary concerns include three unaudited external git submodule dependencies pulled during installation, long-lived API key storage in SameSite=Lax cookies, and a hardcoded affiliate promotional banner for vadoo.tv embedded in all deployments. The clone itself was clean with no unexpected network activity, process spawning, or canary file exfiltration.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (10)

HIGH Server-side upload proxy accepts user-controlled target URL (SSRF) -18

Both app/api/upload-binary/route.js and app/api/v1/upload-binary/route.js extract 'x-proxy-target-url' from user-submitted multipart form data and use it as the destination for a server-side POST request via fetch(). The validateUploadProxyTarget() function is called, but its implementation in src/lib/uploadProxyTarget.js was not included in the provided source dump. If validation does not explicitly block RFC1918 addresses (10.x, 172.16-31.x, 192.168.x), link-local addresses (169.254.x.x for AWS/GCP metadata), or loopback, this constitutes a Server-Side Request Forgery (SSRF) vulnerability. The code comment 'This bypasses browser CORS/Preflight security entirely' explicitly acknowledges the security boundary being bypassed.

MEDIUM API key persisted in long-lived SameSite=Lax cookie (1-year expiry) -8

StandaloneShell.js and all three agent client components (AgentChatClient, AgentCreateClient, AgentEditClient) store the MuAPI API key as a cookie with max-age=31536000 (365 days) and SameSite=Lax. SameSite=Lax does not prevent the cookie from being sent on cross-site top-level navigations (e.g., redirect-based attacks). Combined with simultaneous localStorage persistence, the API key is present in two long-lived browser storage locations, increasing the XSS theft surface and limiting key rotation effectiveness.

MEDIUM Three unaudited external git submodules pulled during install -15

Running 'npm run setup' (the documented install command) executes 'git submodule update --init --recursive', pulling in three external repositories: SamurAIGPT/Vibe-Workflow (different author), Anil-matcha/Open-Poe-AI, and Anil-matcha/Open-AI-Design-Agent. These were not cloned during this audit (shallow --depth 1 of the main repo only). Any of these could contain malicious install scripts, postinstall hooks, or compromised code, and could be silently updated in future by their maintainers. The packages/studio/package.json shows these are declared as local file dependencies built and bundled into the deployed app.

MEDIUM All user API credentials and requests proxied through operator-controlled server to muapi.ai -15

The application's Next.js API routes act as a reverse proxy: every AI generation request from users is routed through the self-hosted server to https://api.muapi.ai. The server reads the user's muapi_key from cookies or headers, injects it into forwarded requests, and logs key prefixes. This architectural pattern gives the application operator complete visibility into user API keys and all AI generation activity. Users deploying this publicly must understand they are operating a credential proxy.

LOW Hardcoded affiliate promotional banner for vadoo.tv embedded in UI -10

StandaloneShell.js hardcodes a persistent promotional banner for vadoo.tv with the text 'Unrestricted AI Images & Videos → Auto-Publish as YouTube Shorts & TikToks, Earn ↗'. This banner is shown to all users by default and requires explicit dismissal (with localStorage persistence). The 'unrestricted' framing is notable for an AI content platform. The integration is hardcoded into the shell component, not configurable, meaning any deployment of this application automatically promotes this third-party service.

LOW Electron app downloads and executes external native AI binaries -7

The Electron build pipeline (scripts/stage-local-ai-binary.js, electron/lib/localInference.js, localInferenceAssets.js) downloads, stages, and executes stable-diffusion.cpp native binaries for local inference. While this is the stated functionality, execution of downloaded native binaries expands the code execution attack surface. The wan2gpProvider.js also manages a Gradio-based inference server. If binary integrity verification is absent or weak, this pathway could be exploited.

LOW API key prefixes logged to server stdout across all proxy routes -2

Five API proxy route handlers log the first 8 characters of user API keys to stdout via console.log(). While truncated, repeated logging creates a partial key corpus in server logs that could aid key recovery if an attacker gains log access. The workflow proxy additionally logs full request body contents for workflow_id, name, and source_workflow_id fields.

INFO No SKILL.md — repository is a web application, not an LLM agent plugin 0

This repository contains a full Next.js/Electron web application (Open Generative AI studio) with no SKILL.md file. There is no agent system-prompt injection surface. The audit is evaluating a web application codebase rather than a skill designed for injection into an LLM agent. All prompt injection, persona override, and instruction hijacking categories score cleanly.

INFO Clean clone — only expected GitHub connection, no behavioral anomalies 0

The git clone connected exclusively to 140.82.121.4:443 (github.com). No unexpected outbound connections to third-party exfiltration endpoints, no new listening services, and no filesystem modifications outside the designated clone directory were observed. Connection state before and after the clone is identical.

INFO Pre-clone sensitive file reads attributed to audit framework sudo setup 0

Inotify and auditd records show reads to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at timestamp 1783031361.525 — approximately 5.5 seconds before the git clone at 1783031367.082. These accesses occur during the audit framework's sudo privilege escalation (auditctl/tcpdump setup) and PAM/NSS resolution, not from repository code. The audit framework's own canary integrity check confirms all files remain intact with no exfiltration.