registry  /  @emend-ai/utim  /  1.44.2

@emend-ai/utim@1.44.2

UTIM – Universal Terminal Intelligence Manager. An agentic AI coding assistant for your terminal.

AI Security Review

scanned 16h ago · by lpm-firewall-ai

The package has install-time behavior that pre-installs a Python package named utim-cli, and the CLI can install or upgrade that same Python dependency before launching it. This is risky supply-chain behavior but is package-aligned and no concrete malicious payload is present in the npm wrapper source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user running utim
Impact
Runs third-party Python package installation at install time or first CLI use; no confirmed data theft, persistence, or agent control-surface hijack in inspected npm source.
Mechanism
npm wrapper installs and launches a Python CLI engine via pip
Attack narrative
On npm install, the postinstall script looks for Python, chmods the package CLI, and silently runs pip to install or upgrade utim-cli. If that pre-warm does not happen, running the utim binary repeats the Python discovery, may install Termux dependencies, installs or upgrades utim-cli with pip, and launches python -m utim_cli.utim. The inspected npm package does not harvest secrets, plant agent configs, or create persistence outside package-manager installation behavior.
Rationale
Static inspection confirms risky install-time pip execution, but it is clearly aligned with the package's documented CLI wrapper purpose and lacks concrete malicious behavior in the npm source. Treat as suspicious rather than block because the actual Python engine is an external payload installed at lifecycle/first-run time, but no unconsented foreign AI-agent control-surface mutation or exfiltration was found.
Evidence
package.jsonscripts/postinstall.jsbin/utim.jsPython site-packages for utim-cli via pipTermux packages python-cryptography and python-pydantic when user runs CLI on Termux
Network endpoints5
registry.npmjs.org/utim.devgithub.com/emendai/utim/issuesgithub.com/emendai/utim.gitpython.org

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/postinstall.js
  • scripts/postinstall.js runs python -m pip install --upgrade --quiet utim-cli during npm install when Python is present
  • bin/utim.js auto-installs or upgrades pip package utim-cli on first CLI run and then launches python -m utim_cli.utim
  • scripts/postinstall.js chmods bin/utim.js inside the package
Evidence against
  • No code writes AI-agent control surfaces such as Claude/Codex/Cursor/MCP config files
  • No credential, env, or local file harvesting logic observed
  • No direct exfiltration endpoint is hardcoded; network activity is limited to package-manager installs
  • Lifecycle script exits 0 on failure and does not persist daemons or shell/VCS hooks
  • Package contents are small and limited to package.json, bin/utim.js, scripts/postinstall.js, README.md, LICENSE
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 10.1 KB of source, external domains: python.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings