registry  /  @dshakesnotbot/firstpass-proxy  /  0.1.4

@dshakesnotbot/firstpass-proxy@0.1.4

Drop-in, Anthropic-compatible LLM proxy that routes each request to the cheapest model that provably passes a quality gate, escalates on failure, and records a tamper-evident audit trace.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

npm postinstall fetches a platform-specific archive, extracts it under the package, and exposes launchers that execute it. The fetched executable is not integrity-pinned by the reviewed source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers postinstall; invoking firstpass or firstpass-proxy executes the downloaded binary.
Impact
A compromised release asset or redirect target could execute arbitrary native code as the installing user.
Mechanism
remote binary download, extraction, and execution
Rationale
The source establishes unverified install-time native payload delivery and execution, creating a material supply-chain risk. It does not establish a concrete malicious objective or unrelated control-surface mutation, so blocking is not justified from static source alone.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-firstpass.jsrun-firstpass-proxy.jsnode_modules/.bin_real
Network endpoints1
github.com/dshakes/firstpass/releases/download/v0.1.4

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node ./install.js.
  • install.js invokes the binary installer during npm installation.
  • binary.js builds release URLs from package.json metadata.
  • binary-install.js downloads and extracts an executable archive with no checksum/signature verification.
  • binary-install.js follows up to five redirects and later executes extracted binaries.
Evidence against
  • Configured download host is package-aligned: github.com/dshakes/firstpass releases.
  • Installer writes only its package-local node_modules/.bin_real directory.
  • Environment access is limited to standard HTTP proxy settings.
  • No source evidence of credential harvesting, arbitrary file reads, AI-agent config writes, or destructive actions.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 13.5 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings