registry  /  @aicraftalchemy/aca  /  0.0.3

@aicraftalchemy/aca@0.0.3

ACA — agentic coding CLI. Any model, any provider (Claude, Gemini, OpenAI, NVIDIA, Groq, Cerebras, OpenRouter, Hugging Face). Developed by Aicraftalchemy.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is a thin npm bootstrapper that downloads opaque native/compiled executables during postinstall and later runs them through the CLI wrapper. Static source does not show concrete malicious behavior, but the shipped npm source cannot be used to inspect the real CLI payload.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall downloads binaries; running aca executes downloaded bin/aca
Impact
Unreviewable downloaded executable runs with user privileges when aca is invoked
Mechanism
install-time remote binary download and package-local executable drop
Rationale
This is not source-confirmed malware, but it is a remote compiled payload carrier installed by a postinstall hook, so a warn verdict is appropriate. No concrete attack chain such as credential exfiltration, destructive behavior, persistence, or unconsented AI-agent control hijack appears in the inspected package files.
Evidence
package.jsoninstall.cjscli-wrapper.cjsREADME.mdbin/acabin/aca.exebin/rgbin/rg.exe
Network endpoints2
github.com/lokeshe09/aca-releases/releases/download/v0.0.3aca.aicraftalchemy.com

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node install.cjs
  • install.cjs downloads manifest and platform binaries from GitHub releases at install time
  • install.cjs writes executable bin/aca or bin/aca.exe and optional bin/rg
  • cli-wrapper.cjs executes downloaded bin/aca with forwarded args and inherited stdio
  • Real application code is not present in npm source; README describes provider API key use
Evidence against
  • install.cjs verifies SHA-256 from downloaded manifest before writing binaries
  • Network endpoint is package-aligned release hosting, not an obvious exfiltration URL
  • No source evidence of credential harvesting, persistence, destructive behavior, or AI-agent config mutation
  • No broad filesystem access beyond package-local bin writes in inspected source
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 2 file(s), 4.81 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License