AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Install-time and first-run behavior installs a Python engine package named utim-cli. This is a risky package-manager bridge but appears aligned with the declared CLI wrapper purpose, without confirmed malicious payload in the npm source.
Decision evidence
public snapshot- package.json runs postinstall script at npm install time.
- scripts/postinstall.js silently invokes Python pip install --upgrade --quiet utim-cli when Python is present.
- bin/utim.js auto-installs utim-cli from pip on first CLI run and launches python -m utim_cli.utim.
- bin/utim.js Termux path can run pkg install/update and uses extra package indexes.
- No credential/env harvesting beyond Termux detection via PREFIX.
- No data exfiltration logic or package-authored network client code found.
- Network activity is package-aligned dependency installation from pip/package indexes.
- No AI-agent config/control-surface writes found.
- No eval/vm/Function, obfuscation, native binary, or destructive filesystem logic found.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/utim.jsView on unpkg