registry  /  @aryaminus/controlkeel  /  0.3.59

@aryaminus/controlkeel@0.3.59

Bootstrap installer for the ControlKeel native CLI - a control plane for agent-generated software delivery.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a lazy native CLI bootstrapper that downloads, verifies, caches, and executes a ControlKeel binary only when invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs controlkeel, runs index.js directly, or calls ensureBinary/getBinaryPath programmatically.
Impact
Executes package-aligned native CLI after user invocation; no install-time execution or exfiltration observed.
Mechanism
Lazy verified native binary download and spawn
Rationale
Static inspection shows a transparent, package-aligned CLI bootstrapper with no lifecycle hook execution and no concrete exfiltration, persistence, destructive action, or foreign AI-agent control-surface mutation. The child process, network, and environment-variable findings are explained by user-invoked binary download/execution and optional signature verification controls.
Evidence
package.jsonindex.jsbin/controlkeel.jslib/install.jsREADME.mdSECURITY.mdserver.jsonvendor/controlkeelvendor/controlkeel.exeos.tmpdir()/controlkeel-*.sigos.tmpdir()/controlkeel-*.pemos.tmpdir()/controlkeel-*
Network endpoints3
github.com/aryaminus/controlkeel/releasesgithub.com/aryaminus/controlkeel/releases/download/v0.3.59token.actions.githubusercontent.com

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • lib/install.js downloads a native binary from GitHub Releases on first CLI/programmatic use.
  • bin/controlkeel.js and index.js spawn the downloaded binary with user-supplied arguments.
  • lib/install.js uses process.env only for CONTROLKEEL_SKIP_SIGNATURE and CONTROLKEEL_REQUIRE_SIGNATURE signature verification toggles.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Download source is hardcoded to aryaminus/controlkeel GitHub Releases and package version 0.3.59.
  • lib/install.js verifies SHA-256 checksums before caching the binary and optionally verifies cosign signatures.
  • No credential harvesting, broad filesystem scanning, agent config mutation, persistence, or destructive behavior found in package source.
  • Network and execution behavior are package-aligned and activated by running/importing the CLI, not npm install.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 9.60 KB of source, external domains: github.com, token.actions.githubusercontent.com

Source & flagged code

3 flagged · loading source
bin/controlkeel.jsView file
2L3: const { spawn } = require("node:child_process"); L4: const { ensureBinary } = require("../lib/install");
High
Child Process

Package source references child process execution.

bin/controlkeel.jsView on unpkg · L2
lib/install.jsView file
200L201: if (process.env.CONTROLKEEL_REQUIRE_SIGNATURE === "1") { L202: throw new Error(`[controlkeel] No cosign signature/certificate available for ${asset}`); ... L208: try { L209: execFileSync(cosignPath, [ L210: "verify-blob", filePath, ... L212: "--certificate", certFile, L213: "--certificate-identity-regexp", `^https://github.com/${repo}/.github/workflows/release.yml@refs/tags/v[0-9].*`, L214: "--certificate-oidc-issuer", "https://token.actions.githubusercontent.com"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/install.jsView on unpkg · L200
6const path = require("node:path"); L7: const https = require("node:https"); L8: L9: const packageJson = require("../package.json"); L10: ... L18: // and optional cosign sig/cert artifacts all resolve from here. Kept as plain, L19: // auditable strings: obfuscating them (e.g. base64 at runtime) is a pattern L20: // supply-chain scanners treat as MORE suspicious, not less. ... L30: L31: function assetName(platform = process.platform, arch = process.arch) { L32: if (platform === "linux" && arch === "x64") { ... L59: function binaryPath() {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/install.jsView on unpkg · L6

Findings

3 High2 Medium2 Low
HighChild Processbin/controlkeel.js
HighSame File Env Network Executionlib/install.js
HighSandbox Evasion Gated Capabilitylib/install.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowUrl Strings