AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package performs an npm postinstall pre-warm that can install the package-aligned Python engine utim-cli via pip. The CLI can also install that engine on first run and then execute it.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/postinstall.js
- scripts/postinstall.js runs python -m pip install --upgrade --quiet utim-cli during npm install
- bin/utim.js auto-installs utim-cli via pip on first CLI run if missing
- bin/utim.js Termux path downloads pydantic-core release metadata/wheels from GitHub and uses extra package indexes
- bin/utim.js launches Python module utim_cli.utim with user args after install
- No credential/env harvesting beyond Termux PREFIX detection found
- No AI-agent config/control-surface writes such as .codex, Claude, Cursor, or MCP config mutation found
- Network/install behavior is package-aligned to UTIM's Python engine rather than an unrelated payload
- No obfuscation, eval/vm/Function, or hidden decoded strings found
- Postinstall exits successfully on failures and does not persist beyond pip installation
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/utim.jsView on unpkg