AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established by the inspected package source. The install hook is a conventional package-aligned native binary downloader, and agent-control-surface changes are documented user-invoked CLI behavior rather than lifecycle delivery.
Decision evidence
public snapshot- package.json postinstall runs install.js
- binary-install.js downloads a platform tarball and extracts it with tar/unzip/powershell
- run-rdm.js executes the installed rdm binary on explicit CLI use
- Download URL is package-aligned: GitHub releases for edpaget/rdm v0.16.0
- Lifecycle writes only into package-local node_modules/.bin_real plus OS temp download path
- No credential harvesting or exfiltration logic found
- Proxy env vars are only used for conventional download proxy support
- Agent config and hook writes described in README are user-invoked rdm commands, not install-time mutations
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
binary-install.jsView on unpkg