AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is a thin npm launcher/bootstrapper for a Python package. Risk comes from install-time and first-run pip installation of the package-aligned utim-cli engine, whose source is not included here.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/postinstall.js
- scripts/postinstall.js runs python -m pip install --upgrade --quiet utim-cli during npm install
- bin/utim.js auto-installs utim-cli with pip on first CLI run if missing
- bin/utim.js launches python -m utim_cli.utim with user args
- bin/utim.js can install Termux packages/build tools via pkg when run
- No code found harvesting credentials, npm tokens, ssh keys, or env secrets
- No exfiltration endpoint or HTTP client code in package source
- Postinstall target is package-aligned utim-cli engine, not a foreign AI-agent control surface
- No eval/vm/Function or obfuscated payload strings found
- No persistence or destructive filesystem behavior beyond chmod and temporary lock cleanup
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/utim.jsView on unpkg