registry  /  @exonix/tchat-cli  /  1.1.22

@exonix/tchat-cli@1.1.22

TChat CLI - AI friendly command line tool for TChat platform

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface in the inspected wrapper package. Install-time code only verifies the expected optional platform binary is present; runtime delegates to that binary when the user invokes the CLI.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user runs tchat-cli for runtime delegation
Impact
No source-confirmed credential theft, exfiltration, persistence, or destructive behavior in this package
Mechanism
platform binary resolver and CLI wrapper
Rationale
The suspicious lifecycle and child_process primitives are package-aligned for a native-binary CLI wrapper, and inspected source shows no install-time payload beyond local binary existence checks. The platform binary packages are separate optional dependencies, but this package source itself does not establish malicious behavior.
Evidence
package.jsonscripts/install.jsbin/tchat-cliREADME.md

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install.js
  • bin/tchat-cli uses child_process.execFileSync to run a platform binary from optionalDependencies
Evidence against
  • scripts/install.js only resolves platform package path and checks fs.existsSync for bin/tchat-cli
  • No install-time network, file writes, credential reads, persistence, eval/vm, or dynamic remote loading found
  • Runtime execFileSync is the declared CLI wrapper behavior and passes user CLI args to the resolved binary
  • README token/config references describe user-invoked CLI configuration, not package install/import harvesting
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.71 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem