registry  /  @dshakesnotbot/firstpass-proxy  /  0.1.6

@dshakesnotbot/firstpass-proxy@0.1.6

Drop-in, Anthropic-compatible LLM proxy that routes each request to the cheapest model that provably passes a quality gate, escalates on failure, and records a tamper-evident audit trace.

AI Security Review

scanned 8h ago · by lpm-firewall-ai

Installation downloads a platform-specific native archive from the configured GitHub release URL, extracts it into this package, and later CLI commands execute it. The JavaScript source does not verify the downloaded artifact or constrain redirect destinations.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall downloads/extracts; invoking `firstpass` or `firstpass-proxy` executes the installed binary.
Impact
A compromised release asset or redirect target could supply code executed by the package CLI.
Mechanism
unsigned remote native-binary bootstrapper
Rationale
No credential theft, AI-agent control-surface mutation, destructive behavior, or direct exfiltration is present in the inspected source. However, an unverified postinstall remote-binary bootstrapper is a material unresolved supply-chain risk.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-firstpass.jsrun-firstpass-proxy.jsnode_modules/.bin_real
Network endpoints1
github.com/dshakes/firstpass/releases/download/v0.1.6

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `node ./install.js` at postinstall.
  • `binary.js` derives a GitHub release artifact URL from `artifactDownloadUrls`.
  • `binary-install.js` downloads, follows up to five redirects, and extracts archives without checksum/signature verification.
  • `run-firstpass*.js` later executes the downloaded native binary from `node_modules/.bin_real`.
Evidence against
  • Installer writes only package-local `node_modules/.bin_real`.
  • Environment reads are limited to standard HTTP proxy settings.
  • No source reads credentials, shell profiles, agent configs, or unrelated user files.
  • No bundled binary, obfuscated payload, eval, or import-time binary execution was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 13.5 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings