registry  /  @100xprompt/cli-darwin-x64  /  0.1.1

@100xprompt/cli-darwin-x64@0.1.1

AI Security Review

scanned 17h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The install hook only re-signs the package's bundled binary; broader AI/MCP, shell, LSP, and sharing capabilities appear to be CLI runtime features.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime behavior requires user invoking the 100xprompt binary
Impact
No evidence of credential theft, persistence, destructive behavior, or unconsented foreign agent control-surface mutation
Mechanism
platform CLI binary with local codesign postinstall
Rationale
Static inspection found a native platform package for the 100xprompt CLI with a local codesign postinstall, not an install-time payload or hijack. The risky primitives in source maps are package-aligned runtime agent/CLI capabilities rather than unconsented install-time behavior.
Evidence
package.jsonbin/100xpromptbin/index.js.mapbin/worker.js.map

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Ships native Mach-O executable at bin/100xprompt
  • package.json postinstall modifies local binary signature with codesign
Evidence against
  • postinstall only runs codesign on ./bin/100xprompt and ignores failures
  • No install-time writes to home/project agent control surfaces found
  • Source maps show package-aligned 100xprompt CLI/server/plugin/MCP functionality
  • Network use in mapped sources is user-invoked/package-aligned, e.g. install/update/share/model APIs
  • Secret handling includes redaction paths before share/memory egress
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = codesign --remove-signature ./bin/100xprompt || true; codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ./bin/100xprompt || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = codesign --remove-signature ./bin/100xprompt || true; codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ./bin/100xprompt || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/100xpromptView file
path = bin/100xprompt kind = native_binary sizeBytes = 118274128 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/100xpromptView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Native Binarybin/100xprompt
LowScripts Present
LowNo License