AI Security Review
scanned 16h ago · by lpm-firewall-aiThe package has install-time behavior that pre-installs a Python package named utim-cli, and the CLI can install or upgrade that same Python dependency before launching it. This is risky supply-chain behavior but is package-aligned and no concrete malicious payload is present in the npm wrapper source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user running utim
Impact
Runs third-party Python package installation at install time or first CLI use; no confirmed data theft, persistence, or agent control-surface hijack in inspected npm source.
Mechanism
npm wrapper installs and launches a Python CLI engine via pip
Attack narrative
On npm install, the postinstall script looks for Python, chmods the package CLI, and silently runs pip to install or upgrade utim-cli. If that pre-warm does not happen, running the utim binary repeats the Python discovery, may install Termux dependencies, installs or upgrades utim-cli with pip, and launches python -m utim_cli.utim. The inspected npm package does not harvest secrets, plant agent configs, or create persistence outside package-manager installation behavior.
Rationale
Static inspection confirms risky install-time pip execution, but it is clearly aligned with the package's documented CLI wrapper purpose and lacks concrete malicious behavior in the npm source. Treat as suspicious rather than block because the actual Python engine is an external payload installed at lifecycle/first-run time, but no unconsented foreign AI-agent control-surface mutation or exfiltration was found.
Evidence
package.jsonscripts/postinstall.jsbin/utim.jsPython site-packages for utim-cli via pipTermux packages python-cryptography and python-pydantic when user runs CLI on Termux
Network endpoints5
registry.npmjs.org/utim.devgithub.com/emendai/utim/issuesgithub.com/emendai/utim.gitpython.org
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node scripts/postinstall.js
- scripts/postinstall.js runs python -m pip install --upgrade --quiet utim-cli during npm install when Python is present
- bin/utim.js auto-installs or upgrades pip package utim-cli on first CLI run and then launches python -m utim_cli.utim
- scripts/postinstall.js chmods bin/utim.js inside the package
Evidence against
- No code writes AI-agent control surfaces such as Claude/Codex/Cursor/MCP config files
- No credential, env, or local file harvesting logic observed
- No direct exfiltration endpoint is hardcoded; network activity is limited to package-manager installs
- Lifecycle script exits 0 on failure and does not persist daemons or shell/VCS hooks
- Package contents are small and limited to package.json, bin/utim.js, scripts/postinstall.js, README.md, LICENSE
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings