AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code fetches an executable archive, extracts it under the package, and executes its `bootstrap` subcommand. The binary is external to the inspected JavaScript source, so the AI-assistant configuration changes cannot be verified statically.
Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` / `postinstall` unless `ATLAS_SKIP_DOWNLOAD` or `ATLAS_SKIP_BOOTSTRAP` is set.
Impact
A compromised or changed release asset can execute with installer-user privileges and alter assistant configuration.
Mechanism
Unverified GitHub release binary download followed by automatic AI-assistant bootstrap.
Rationale
The inspected source establishes automatic remote-binary execution and AI-assistant provisioning, but no concrete exfiltration, destructive action, or confirmed foreign/broad control-surface mutation is visible. Warn pending trust verification of the downloaded release binary and bootstrap behavior.
Evidence
package.jsonscripts/install.jsbin/atlas.jsREADME.mdvendor/{goos}-{goarch}/atlas$TMPDIR/atlas_0.1.35_{goos}_{goarch}.tar.gz
Network endpoints1
github.com/aziron-ai/atlas/releases/download/v0.1.35/atlas_0.1.35_{goos}_{goarch}.tar.gz
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` runs `node scripts/install.js` as `postinstall`.
- `scripts/install.js` downloads a versioned release archive over HTTPS without checksum/signature verification.
- The installer extracts the downloaded native binary then invokes `atlas bootstrap` automatically.
- `bootstrap` is documented in source as provisioning skill and MCP configuration for AI assistants.
- `GITHUB_TOKEN`/`GH_TOKEN` is attached as a bearer token to the release-asset request.
Evidence against
- No JavaScript source harvests files, environment data, or credentials beyond optional release tokens.
- No source-defined exfiltration endpoint exists beyond the package-aligned GitHub release URL.
- The wrapper only executes the installed binary or an explicitly supplied `ATLAS_BINARY`.
- Bootstrap failures are non-fatal and `ATLAS_SKIP_BOOTSTRAP=1` disables automatic provisioning.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings