registry  /  @chojs23/concord  /  2.2.11

@chojs23/concord@2.2.11

A terminal user interface client for Discord

AI Security Review

scanned 11d ago · by lpm-firewall-ai

The package is a native binary wrapper for a Discord TUI client. The install-time download and CLI execution are package-aligned and no confirmed malicious behavior is established.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user CLI invocation runs concord
Impact
Installs and runs the Concord prebuilt binary for the user's platform
Mechanism
platform-specific GitHub release artifact download, extraction, and CLI spawn
Rationale
Static inspection shows a conventional prebuilt-binary npm installer whose network, filesystem, and child_process behavior matches the advertised Concord CLI package. No concrete exfiltration, persistence, destructive behavior, dependency confusion, or unconsented control-surface mutation was found.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-concord.jsREADME.mdnpm-shrinkwrap.jsonnode_modules/.bin_realtemporary OS archive path
Network endpoints1
github.com/chojs23/concord/releases/download/v2.2.11

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall: node ./install.js
  • install.js calls install(false) during npm install
  • binary-install.js downloads and extracts a platform archive, then run() spawnSyncs the installed binary
Evidence against
  • Network use is limited to package.json artifactDownloadUrls under github.com/chojs23/concord releases
  • Installer writes only node_modules/.bin_real and a temp archive before tar/unzip extraction
  • run-concord.js only invokes run("concord") for the declared CLI bin
  • No source evidence of env/credential harvesting, arbitrary eval, persistence, destructive project traversal, or AI-agent control-surface writes
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 4 file(s), 10.0 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License