AI Security Review
scanned 2h ago · by lpm-firewall-aiThe user-invoked CLI downloads and executes an opaque native binary. The JavaScript shim itself has no confirmed credential theft, persistence, or destructive action.
Decision evidence
public snapshot- `bin/aarvion-guard.js` downloads a platform binary at runtime.
- The downloaded binary is executed via `spawnSync`.
- No checksum or signature verification is present.
- Redirect locations are followed before execution.
- `package.json` defines no lifecycle scripts.
- Execution occurs only when the `aarvion-guard` CLI is invoked.
- Download target is a package-aligned GitHub Releases repository.
- Source does not harvest files, secrets, or send command output externally.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
bin/aarvion-guard.jsView on unpkg · L9A single source file combines environment access, network access, and code or shell execution; review context before blocking.
bin/aarvion-guard.jsView on unpkg · L78Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/aarvion-guard.jsView on unpkg · L78Package source invokes a package manager install command at runtime.
bin/aarvion-guard.jsView on unpkg · L3