registry  /  @chojs23/concord  /  2.2.12

@chojs23/concord@2.2.12

A terminal user interface client for Discord

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a binary-distribution wrapper for a Discord TUI and downloads its own GitHub release artifact during postinstall.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, or running the concord bin if the binary is missing
Impact
Installs and runs the package's native concord binary; no source-confirmed malicious side effects in wrapper code
Mechanism
platform-specific release artifact downloader and CLI launcher
Rationale
The suspicious primitives are package-aligned for a Rust CLI npm wrapper: postinstall downloads the documented Concord release artifact and the bin launcher executes it. Static inspection found no credential harvesting, unrelated network endpoint, persistence, destructive behavior, or prompt/reviewer manipulation in the package JS source.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-concord.jsREADME.mdnode_modules/.bin_realtemporary archive under os tmpdir
Network endpoints1
github.com/chojs23/concord/releases/download/v2.2.12

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node ./install.js
  • binary-install.js downloads a platform archive and extracts it with tar/unzip/powershell
  • run-concord.js executes downloaded node_modules/.bin_real/concord on user CLI invocation
Evidence against
  • README.md documents npm package installs prebuilt GitHub Release binary
  • package.json artifact URL is project-aligned: github.com/chojs23/concord/releases/download/v2.2.12
  • No source evidence of credential/env/file harvesting or exfiltration in JS installer
  • No install/import-time AI agent control-surface writes, persistence, or destructive project actions found
  • Network use is limited to release artifact download/proxy support for the package binary
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 4 file(s), 10.0 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License