AI Security Review
scanned 11d ago · by lpm-firewall-aiThe package is a native binary wrapper for a Discord TUI client. The install-time download and CLI execution are package-aligned and no confirmed malicious behavior is established.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user CLI invocation runs concord
Impact
Installs and runs the Concord prebuilt binary for the user's platform
Mechanism
platform-specific GitHub release artifact download, extraction, and CLI spawn
Rationale
Static inspection shows a conventional prebuilt-binary npm installer whose network, filesystem, and child_process behavior matches the advertised Concord CLI package. No concrete exfiltration, persistence, destructive behavior, dependency confusion, or unconsented control-surface mutation was found.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-concord.jsREADME.mdnpm-shrinkwrap.jsonnode_modules/.bin_realtemporary OS archive path
Network endpoints1
github.com/chojs23/concord/releases/download/v2.2.11
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json has postinstall: node ./install.js
- install.js calls install(false) during npm install
- binary-install.js downloads and extracts a platform archive, then run() spawnSyncs the installed binary
Evidence against
- Network use is limited to package.json artifactDownloadUrls under github.com/chojs23/concord releases
- Installer writes only node_modules/.bin_real and a temp archive before tar/unzip extraction
- run-concord.js only invokes run("concord") for the declared CLI bin
- No source evidence of env/credential harvesting, arbitrary eval, persistence, destructive project traversal, or AI-agent control-surface writes
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License