registry  /  @100xprompt/cli-darwin-x64  /  0.1.25

@100xprompt/cli-darwin-x64@0.1.25

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time behavior only re-signs the package-owned executable. The bundled CLI has networked AI-provider behavior when explicitly run; no confirmed malicious install-time attack surface was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; separately, explicit execution of `bin/100xprompt`
Impact
No confirmed unconsented host mutation, credential theft, persistence, or payload execution.
Mechanism
re-signs its own Mach-O binary; bundled CLI calls package-aligned AI proxy endpoints
Rationale
Static inspection shows a platform-specific bundled CLI whose postinstall script only removes and re-applies a signature to its own executable. Runtime network and task-directory behavior is package-aligned, with no concrete malicious chain established.
Evidence
package.jsonbin/100xprompt~/.100xprompt/tasks
Network endpoints3
proxy.100xprompt.com/proproxy.100xprompt.com/flashapp.100xprompt.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` runs `codesign` during postinstall.
  • `bin/100xprompt` is a 120 MB Mach-O native binary.
  • Embedded runtime code contacts `proxy.100xprompt.com` when the CLI is used.
Evidence against
  • Postinstall targets only `./bin/100xprompt` and ignores failures.
  • No install hook launches the binary or writes user/agent configuration.
  • No concrete credential harvesting, exfiltration, remote payload download, or persistence chain was found.
  • Embedded code identifies a 100XPrompt CLI and runtime task path `~/.100xprompt/tasks`.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = codesign --remove-signature ./bin/100xprompt || true; codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ./bin/100xprompt || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = codesign --remove-signature ./bin/100xprompt || true; codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ./bin/100xprompt || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/100xpromptView file
path = bin/100xprompt kind = native_binary sizeBytes = 120584272 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/100xpromptView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Native Binarybin/100xprompt
LowScripts Present
LowNo License