AI Security Review
scanned 3d ago · by lpm-firewall-aiThe CLI fetches and executes an opaque remote binary on first user invocation. The package source does not establish malicious payload behavior, but it delegates execution to an unverified release asset.
Decision evidence
public snapshot- `bin/aarvion-guard.js` downloads a platform binary at runtime.
- The downloaded binary is executed with `spawnSync`.
- No checksum or signature verification protects the release asset.
- Redirects are followed before writing the executable cache.
- `package.json` defines no preinstall, install, or postinstall hook.
- Network and execution occur only after the user invokes `aarvion-guard`.
- Inspected shim contains no credential harvesting or outbound data upload.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
bin/aarvion-guard.jsView on unpkg · L9A single source file combines environment access, network access, and code or shell execution; review context before blocking.
bin/aarvion-guard.jsView on unpkg · L78Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/aarvion-guard.jsView on unpkg · L78Package source invokes a package manager install command at runtime.
bin/aarvion-guard.jsView on unpkg · L3