AI Security Review
scanned 3h ago · by lpm-firewall-aiThe package uses an npm postinstall hook to pre-install a Python engine package and repeats installation on first CLI run if missing. This is a risky install-time side effect but source inspection did not show credential theft, persistence, destructive behavior, or foreign AI-agent control-surface mutation.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/postinstall.js
- scripts/postinstall.js runs python -m pip install --upgrade --quiet utim-cli during npm install
- bin/utim.js auto-installs/updates utim-cli with pip on first CLI run if missing
- bin/utim.js uses child_process and platform shell helpers including cmd.exe/osascript for installation
- Termux path installs packages and adds extra pip indexes
- No credential harvesting, filesystem enumeration, or exfiltration code found in inspected JS
- No fetch/HTTP client or custom exfil endpoint in package source
- Network activity is package-aligned dependency installation via pip/npm metadata URLs
- No AI-agent config/control-surface writes found
- CLI behavior matches README/package description as a launcher for UTIM Python engine
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/utim.jsView on unpkg