AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is an npm bootstrapper for an opaque native/bundled CLI downloaded at install time. Source inspection confirms remote binary download and later execution, but no direct malicious exfiltration, persistence, or destructive behavior in the published JS.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes aca
Impact
Unreviewed remote binary code executes as the user when aca is invoked; install-time download integrity is anchored to a manifest from the same host.
Mechanism
install-time remote binary downloader and runtime launcher
Rationale
Static inspection shows a package-aligned binary bootstrapper with install-time remote downloads and runtime execution, but no concrete malicious behavior in the published JavaScript. Because the real application code is not included and update/download behavior is broad, warn rather than block.
Evidence
package.jsoninstall.cjscli-wrapper.cjsREADME.mdbin/acabin/aca.exebin/rgbin/rg.exebin/aca.vsixbin/.aca-pending-versionbin/aca.pendingbin/aca.exe.pendingbin/rg.pendingbin/rg.exe.pending
Network endpoints2
github.com/lokeshe09/aca-releases/releases/download/v0.0.7aca.aicraftalchemy.com
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node install.cjs
- install.cjs downloads platform binary, rg, and aca.vsix from GitHub release URL during install
- install.cjs trusts manifest.json from same remote origin for file names and SHA-256 hashes
- cli-wrapper.cjs executes downloaded bin/aca or bin/aca.exe with forwarded args and stdio
- cli-wrapper.cjs applies staged pending binary updates from bin/*.pending before launch
Evidence against
- No credential harvesting or exfiltration code found in published JS
- Network access is limited to package release download host unless ACA_RELEASE_BASE_URL is explicitly set
- Downloaded files are written under package bin/ only
- No broad AI-agent config mutation or foreign control-surface writes in package source
- README describes an agentic coding CLI matching the binary-launcher behavior
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.cjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License