AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall runs a downloader that retrieves a native CLI binary from GitHub releases and stores it under the package bin directory. The binary is then executed only when the user invokes the apex command, but its contents are not inspectable from the package source.
Decision evidence
public snapshot- package.json defines postinstall: node install.cjs
- install.cjs downloads a platform executable from GitHub releases without checksum/signature verification
- install.cjs writes to bin/apex or bin/apex.exe and chmods it executable
- apex.cjs bin wrapper spawnSyncs the downloaded executable with inherited stdio/env
- README/package metadata reference oh-my-pi/can1357 while installer fetches Apex-Foundation/copilot
- No source shows credential harvesting, destructive filesystem actions, or persistence
- No install-time execution of the downloaded binary was found
- Network use is limited to GitHub release download in inspected source
- bin/apex in the package is an empty placeholder
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
install.cjsView on unpkg