registry  /  100xprompt-cli  /  0.0.0-dev-scoped1

100xprompt-cli@0.0.0-dev-scoped1

AI Security Review

scanned 17h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established by the inspected source. Install-time behavior prepares the package binary and creates or merges package-owned configuration only.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user-running 100xprompt CLI
Impact
Installs/normalizes the 100xprompt CLI wrapper; no exfiltration or foreign agent hijack found in source
Mechanism
platform binary wrapper plus package-owned config bootstrap
Rationale
Static inspection shows an install hook, but its actions are package-aligned binary setup and first-party config creation without credential access, network exfiltration, persistence, or foreign AI-agent control-surface mutation. The runtime bin is a thin wrapper that launches the optional platform binary only when the CLI is invoked.
Evidence
package.jsonpostinstall.mjsbin/100xprompt.jsbin/100xpromptbin/100xprompt.exe~/.config/100xprompt/100xprompt.json~/.100xprompt/100xprompt.json/dev/tty

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json runs postinstall.mjs at install time
  • postinstall.mjs writes package-owned config under XDG ~/.config/100xprompt or legacy ~/.100xprompt
  • postinstall.mjs chmods/symlinks/copies the platform binary and may run macOS codesign
Evidence against
  • No network code found; only schema URL string in default config
  • No credential, env, or arbitrary file harvesting found
  • No foreign AI-agent control-surface writes such as Claude/Codex/Cursor/MCP configs
  • bin/100xprompt.js only resolves a platform package binary and forwards CLI args/env on user invocation
  • Lifecycle changes are limited to package binary setup and package-owned app config
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 2 file(s), 14.1 KB of source, external domains: proxy.100xprompt.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bun ./postinstall.mjs || node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun ./postinstall.mjs || node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License